APIError: token is not authorized for this scope (Code = 40110000)

About 20 days ago this message started popping up for me and I can’t get the /bars/ endpoint to work. Please advise.

“message”: “forbidden.”

Is the request being made using API key + secret key authentication or using OAuth on behalf of another account? The error 40110000 implies an authorization failure and, depending upon the type of authorization, can have different causes.

If using API key + secret key authorization it typically means the keys are not valid. Ensure the keys match the keys on the account. If it’s for a paper account, the keys will need to be regenerated after each account reset.

If using OAuth to authorize on behalf of another account, this isn’t supported for data. This is due to terms we have in place with our data providers. Below is the language from the terms and conditions for IEX (Polygon is similar).

You may not sell, lease, furnish or otherwise permit or provide access to Investors Exchange (“IEX”) API data, which includes data licensed from third-parties. Any redistribution of the IEX API data that you access through a third party is strictly prohibited.

By definition, the OAuth process allows data owners (ie users) to authorize third-party access to their data. This redistribution is prohibited by both IEX and Polygon. This is why data is not authorized when accessing via OAuth.

Check if it could be one of those things.

Dan, thank you for your reply.

We currently use the OAuth method, which was working. But given your answer on OAuth, it seems that it’s appropriately not working now :slight_smile:

Thank you for your response and concise answer.


If data can’t be accessed, then any users of a Oauth app can’t see any market data? Am I understanding that correctly? The oauth app account itself would have to query that data and pass it along? Obviously that’s not ideal since with any scale the rate limit will hit.

Let me know if that’s accurate.


@Elliot Apps need to source and provide for their own data. While technically the OAuth app account could access data and ‘pass it along’, that is not a permissible use under the individual data terms. If one is displaying or allowing downloads of data, then they need a ‘professional’ data plan license. Alpaca doesn’t currently offer this. I did notice that Quandl offers these plans though. Maybe check them out.