403 unauthorized from invites/new endpoint with third-party OAuth2 token
-
We manage 40+ private team blogs for our company and built an internal automation that configures them via the WordPress.com REST API. Site-level write calls work fine with our token (settings, themes/mine, widgets/new), but POST /rest/v1.1/sites/$site/invites/new consistently returns:
403 {“error”:”unauthorized”,”message”:”You do not have the proper permissions to perform this action.”}
Verified conditions: the OAuth2 token has global scope (confirmed via /me), belongs to the user who is the owner of the target site (the site is listed in /me/sites for this token), and the site was freshly created with no prior API activity. The request body is valid JSON, e.g. {“invitees”: [“(email visible only to moderators and staff)”], “role”: “follower”} — sending invalid parameters returns 400 invalid_input as expected, so the request itself is parsed correctly. The same invitation sent from the same account through the WordPress.com web interface works. Our OAuth2 app ID is 134029.
Is the invites/new endpoint restricted to first-party clients only, or is there something we can change on our side (scopes, app settings) to make programmatic invitations work? If it is restricted, is there a supported way for a business to automate inviting team members to private team sites?
The blog I need help with is: (visible only to logged in users)
-
The invites/new endpoint is not restricted to first-party clients. Third-party OAuth2 apps with proper scope and site ownership can call it successfully.
However, WordPress.com does have protections in place that can affect the availability of certain actions on a per-site basis. This may be what you’re running into.
I’ll follow up with you separately via email to look into the specifics of your account and see what we can do.