BIM360/ACC Provisioning Checklist: Fix 403 Errors

The #1 cause of APS API 403 errors — and how to fix them

⚠️ The Problem

Getting 403 Forbidden errors when calling APS APIs with BIM360 or Autodesk Construction Cloud (ACC)? You’re not alone.

The root cause: Developers don’t realize they must manually enable custom integrations from the ACC admin console. This isn’t mentioned in most tutorials, causing hours of frustration.

🎯 Quick Fix

If you’re getting 403 errors, skip to Step 3 — that’s usually the missing piece.

📋 Complete Setup Checklist

Step 1: Create APS Application

✅ Prerequisites:

• Autodesk account with developer access
• Access to aps.autodesk.com

✅ App Creation:

• Logged into APS Developer Portal
• Created new application
• Noted Client ID (you’ll need this exact value)
• Noted Client Secret (keep secure!)
• Set Callback URL correctly:
  • Development: http://localhost:3000/callback
  • Production: Your actual domain
• Selected required API access:
  • ✅ Data Management API
  • ✅ Model Derivative API
  • ✅ Any other APIs you need

Step 2: Verify ACC Admin Access

✅ Account Requirements:

• You are an Account Admin in ACC/BIM360 (not just Project Admin)
• Your ACC subscription is active
• You can access Account Administration settings

❌ If you’re NOT an Account Admin:

Contact your ACC Account Admin and ask them to:
1. Add your APS Client ID to custom integrations
2. Grant required permissions
3. Share the integration details with you

Step 3: Enable Custom Integration (CRITICAL STEP)

🚨 This step is missed by 90% of developers

✅ In ACC Admin Console:

• Logged into ACC as Account Admin
• Navigated to: Account Admin → Settings → Custom Integrations
• Clicked “Add Custom Integration”
• Entered your exact Client ID from Step 1
• Selected required access levels:
  • ✅ BIM 360 Account Admin (for account-level operations)
  • ✅ BIM 360 Docs (for file operations)
  • ✅ Any additional services you need
• Completed the integration wizard
• Waited 5-10 minutes for propagation

⏱️ Common mistake: Not waiting for propagation. Changes take 5-10 minutes.

Step 4: Per-Project Setup (If Using 2-Legged Auth)

✅ Project-Level Access:

• Added the custom integration to specific projects
• Verified integration appears in Project Admin → Integrations
• Granted necessary project permissions

✅ For 3-Legged Auth:

• Ensured user has project access
• User accepted any pending invitations
• User has appropriate role (Admin, Member, etc.)

Step 5: Test Authentication

✅ Basic Connection Test:

# Using RAPS CLI
raps auth login
raps dm projects

# Should list your ACC projects without 403 errors

✅ Manual API Test:

# Get 3-legged token first, then:
curl -X GET \
  'https://developer.api.autodesk.com/project/v1/hubs' \
  -H 'Authorization: Bearer YOUR_3LEGGED_TOKEN'

# Should return hub data, not 403

🔧 Troubleshooting 403 Errors

Error: “client_id does not have access”

❌ Cause: Integration not added to ACC (Step 3 skipped) ✅ Fix: Complete Step 3 — add Client ID to Custom Integrations

Error: “User not authorized”

❌ Cause: User lacks project permissions ✅ Fix: Grant user project access or use 2-legged auth

Error: “Project not found”

❌ Cause: 3-legged token from wrong user ✅ Fix: Ensure user has access to the specific project

Error: “Forbidden” (generic)

❌ Cause: Multiple possible issues ✅ Fix: Work through checklist step by step

🎭 Auth Flow Comparison

💡 RAPS CLI handles both flows automatically:

# 3-legged (interactive)
raps auth login

# 2-legged (automated)  
raps auth set --client-id ID --client-secret SECRET

🕐 Timeline for Setup

Total: 15-30 minutes + admin approval time

🚨 Common Gotchas

1. Client ID Copy-Paste Errors

Problem: Typos when copying Client ID to ACC Solution: Copy-paste, don’t type manually

2. Regional Differences

Problem: EMEA accounts have different requirements Solution: Use correct base URL and region headers

3. Multi-Tenant Confusion

Problem: Multiple ACC accounts, wrong integration Solution: Verify you’re in the correct account

4. Permission Inheritance

Problem: Assuming project permissions = account permissions Solution: Grant both account AND project access

🔄 Migration from Forge

If migrating from Forge:

Old Forge App → New APS App:
✅ Same process applies
✅ Must still add Client ID to ACC Custom Integrations  
✅ No automatic permission transfer

Migration checklist:

• Created new APS app (or migrated existing)
• Updated ACC Custom Integrations with new Client ID
• Tested all project access
• Updated application code to use APS endpoints

💻 Testing with RAPS CLI

Validate your setup:

# 1. Check authentication
raps auth status

# 2. List accessible hubs
raps dm hubs

# 3. List projects in each hub
raps dm projects --hub-id <hub-id>

# 4. Test file operations
raps dm folders <project-id>

# 5. Verify provisioning status
raps acc check-provisioning

Expected output:

• ✅ No 403 errors
• ✅ Your ACC projects listed
• ✅ Folder structure visible

📞 When You Need Help

Still getting 403s after following this guide?

Check these:

1. Timing: Wait 15+ minutes after adding integration
2. Region: Ensure consistent US/EMEA region usage
3. Scopes: Verify your token has required scopes
4. User: Confirm the user actually has project access

Get support:

• 🆘 RAPS Discord: discord.gg/raps
• 📧 Email: support@rapscli.xyz
• 🤖 RAPS CLI: raps support create-ticket

🎯 Success Checklist

You’re ready when:

• No 403 errors on basic API calls
• Can list ACC projects via API
• Can upload/download files
• RAPS CLI authentication works
• All team members can access

Time saved: ~4 hours of debugging per developer 🎉

📚 Related Guides

• 3-Legged Auth Visual Walkthrough — Understanding OAuth flow
• Token Refresh Patterns — Production authentication
• Region Mismatch Debugger — US/EMEA troubleshooting

Last Updated: January 2026 | RAPS v4.2.1
Based on community feedback from 1000+ developers