• Plans & Pricing
  • Log in
  • Get started
  • WordPress Hosting
  • WordPress for Agencies
  • Ecommerce
  • Become an Affiliate
  • Domain Names
  • AI Website Builder
  • Website Builder
  • Create a Blog
  • Newsletter
  • Professional Email
  • Website Design Services
  • WordPress Studio 
  • Enterprise WordPress 
  • Overview
  • WordPress Themes
  • WordPress Plugins
  • WordPress Patterns
  • WordPress AI Features
  • Google Apps
  • Support Center
  • WordPress News
  • Business Name Generator
  • Logo Maker
  • Discover New Posts
  • Popular Tags
  • Blog Search
Get started
  • Sign up
  • Log in
About
  • Plans & Pricing
Products
  • WordPress Hosting
  • WordPress for Agencies
  • Ecommerce
  • Become an Affiliate
  • Domain Names
  • AI Website Builder
  • Website Builder
  • Create a Blog
  • Newsletter
  • Professional Email
  • Website Design Services
  • WordPress Studio  
  • Enterprise WordPress  
Features
  • Overview
  • WordPress Themes
  • WordPress Plugins
  • WordPress Patterns
  • WordPress AI Features
  • Google Apps
Resources
  • Support Center
  • WordPress News
  • Business Name Generator
  • Logo Maker
  • Discover New Posts
  • Popular Tags
  • Blog Search
Jetpack App
  • Learn more
  • Support Center
  • Guides
  • Courses
  • Forums
  • Contact
Search
  • Support Center
  • Guides
  • Courses
  • Forums
  • Contact
Forums / 403 unauthorized from invites/new endpoint with third-party OAuth2 token

403 unauthorized from invites/new endpoint with third-party OAuth2 token

  • Unknown's avatar
    katsiarynatarasiuk · Member · Jul 10, 2026 at 6:38 am
    • Copy link Copy link
    • Add topic to favorites Add topic to favorites

    We manage 40+ private team blogs for our company and built an internal automation that configures them via the WordPress.com REST API. Site-level write calls work fine with our token (settings, themes/mine, widgets/new), but POST /rest/v1.1/sites/$site/invites/new consistently returns:

    403 {“error”:”unauthorized”,”message”:”You do not have the proper permissions to perform this action.”}

    Verified conditions: the OAuth2 token has global scope (confirmed via /me), belongs to the user who is the owner of the target site (the site is listed in /me/sites for this token), and the site was freshly created with no prior API activity. The request body is valid JSON, e.g. {“invitees”: [“(email visible only to moderators and staff)”], “role”: “follower”} — sending invalid parameters returns 400 invalid_input as expected, so the request itself is parsed correctly. The same invitation sent from the same account through the WordPress.com web interface works. Our OAuth2 app ID is 134029.

    Is the invites/new endpoint restricted to first-party clients only, or is there something we can change on our side (scopes, app settings) to make programmatic invitations work? If it is restricted, is there a supported way for a business to automate inviting team members to private team sites?

    The blog I need help with is: (visible only to logged in users)

  • Unknown's avatar
    staff-garyp · Staff · Jul 10, 2026 at 11:08 am
    • Copy link Copy link

    Hi @katsiarynatarasiuk,

    The invites/new endpoint is not restricted to first-party clients. Third-party OAuth2 apps with proper scope and site ownership can call it successfully.

    However, WordPress.com does have protections in place that can affect the availability of certain actions on a per-site basis. This may be what you’re running into.

    I’ll follow up with you separately via email to look into the specifics of your account and see what we can do.

Log in or create an account to reply
Log in Create Account

Tags

  • account
  • currency
  • design
  • payment

About this topic

  • In: Support
  • 2 participants
  • 1 reply
  • Last activity 6 days
  • Latest reply from katsiarynatarasiuk

Have a question?

Get in touch
Back to Top

Couldn't find what you needed?

Contact us

Get answers from our AI assistant, with access to 24/7 expert human support on paid plans.

Browse our guides

Find step-by-step solutions to common questions in our comprehensive guides.

WordPress.com

Products
  • WordPress Hosting
  • WordPress for Agencies
  • Ecommerce
  • Become an Affiliate
  • Domain Names
  • AI Website Builder
  • Website Builder
  • Create a Blog
  • Professional Email
  • Website Design Services
  • WordPress Studio
  • Enterprise WordPress
Features
  • Overview
  • WordPress Themes
  • WordPress Plugins
  • WordPress Patterns
  • WordPress AI Features
  • Google Apps
Resources
  • WordPress.com Blog
  • Business Name Generator
  • Logo Maker
  • WordPress.com Reader
  • Accessibility
  • Remove Subscriptions
Help
  • Support Center
  • Guides
  • Courses
  • Forums
  • Contact
  • Developer Resources
Company
  • About
  • Press
  • Terms of Service
  • Privacy Policy
  • Do Not Sell or Share My Personal Information
  • Privacy Notice for California Users
DeutschEspañolFrançaisBahasa IndonesiaItalianoNederlandsPortuguês do BrasilSvenskaTürkçeРусскийالعربيةעִבְרִית日本語한국어简体中文繁體中文English

Mobile Apps

  • Download on the App Store
  • Get it on Google Play

Social Media

  • WordPress.com on Facebook
  • WordPress.com on X (Twitter)
  • WordPress.com on Instagram
  • WordPress.com on YouTube

Automattic

Automattic
Work With Us
    • WordPress.com Forums
    • Sign up
    • Log in
    • Copy shortlink
    • Report this content
    • Manage subscriptions