API client (admin key) gets 401 "create the task" when creating a task in a private project — but can create private tasks fine

Developer Forum
1

TL;DR
An admin-level API key can authenticate and create private tasks (baseType: „private“ → 200),
but creating a project task (baseType: „projecttask“) in a PRIVATE project fails with 401
„insufficient permissions / requires: create the task“. The API client is not a member of that
private project, and API clients can’t be added as project members in the UI. What’s the intended
way to let an API client create tasks in a private project?

Setup

  • Auth: admin-level API key (non-user-specific Bearer token) created for a Client Application.
  • GET /me → 200 (workspace resolves correctly).
  • GET /me/permissions → „isAdmin“: true, workspace role „Admin“.
  • Goal: POST /api/v1/tasks to add a task into a specific list of a specific project.

What works

  • GET /me, /users, /projects, /typeofwork, /companies → 200
  • POST /api/v1/tasks with { „name“: „…“, „baseType“: „private“ } → 200 :white_check_mark: (private task created)

What fails

  • POST /api/v1/tasks with:
    { „name“: „…“, „baseType“: „projecttask“, „entityId“: „<PRIVATE_PROJECT_ID>“,
    „lists“: [{ „id“: „<LIST_ID>“, „order“: 1 }] }
    → 401
    {
    „code“: „unauthorized“,
    „description“: „The call to TaskModel was blocked due to insufficient permissions.“,
    „details“: [„This endpoint requires one of the following permissions: create the task“]
    }
  • GET /api/v1/projects/<PRIVATE_PROJECT_ID> → 401 („missing ProjectMasterData read permission“)
  • GET /api/v1/projects/<PRIVATE_PROJECT_ID>/members → 401 („requires pmd“)
  • The private project does NOT appear in GET /api/v1/projects (≈80 other, all public, projects are returned).

Diagnosis so far

  • The token itself can write (private task creation = 200), so it’s not a token/auth problem.
  • The project is private, the API client is simply not a member of it → no project-planning-data:write
    for that project.
  • API clients/keys don’t show up in the project „Members“ picker, so I can’t add them as a project member.
  • The workspace „Admin“ role does not appear to grant Project Tasks = „Edit (all projects)“.

Question
What is the intended/supported way to allow an API client (admin API key) to create tasks in a
PRIVATE project?

  1. Is the only path a workspace role with Project Tasks = „Edit“ (all projects), and does that
    override private-project membership? If so, how do I assign that role to an API client/key?
  2. Or is there a supported way to add an API client as a member of a private project?
  3. Or should this be done via OAuth2 (user-context token) instead of an admin API key?

Thanks!

2

Hi @Marvin4 ,

tricky case.

You have three supported options:

  1. Add the API user as a project member via API. We do not expose API users in the UI member picker, but the API path should work: add the API user id to the private project with a project role that has project task write permissions.

  2. Create the project using the API-user-scoped API key. Then that API user is the project creator and should be allowed to create tasks in the private project.

  3. Use OAuth2 with a user-context token. Then the API call uses that user’s permissions and private-project access.

A workspace admin/API key alone does not automatically bypass private-project membership.

Does that help?