Difference in API Permissions Between Bearer Token and OAuth2 Authentication

Hello,

I am encountering an issue where certain Wrike API endpoints do not appear to have the same permissions depending on the authentication method used.

For example, using the same user's API application (in which both OAuth2 and a Permanent Access Token were defined):

• When using a Bearer Token, I am able to successfully retrieve user details with the following URL:
  https://www.wrike.com/api/v4/users/KUAVLNPL

• However, when using OAuth2 authentication, the same request results in the following error:

403 - {"errorDescription":"Action is not allowed in requested scope","error":"not_allowed"}

Here is the full request from the OAuth2 attempt:

{
  "headers": {
    "accept": "application/json,text/html,application/xhtml+xml,application/xml,text/*;q=0.9, image/*;q=0.8, */*;q=0.7",
    "Authorization": "**hidden**"
  },
  "method": "GET",
  "uri": "https://www.wrike.com/api/v4/users/KUAVLNPL",
  "gzip": true,
  "rejectUnauthorized": true,
  "followRedirect": true,
  "resolveWithFullResponse": true,
  "followAllRedirects": true,
  "timeout": 300000,
  "encoding": null,
  "json": false,
  "useStream": true
}

I am currently trying to replace all API calls that use Permanent Access Tokens (PAT) with OAuth2, as recommended in the developer documentation for production environment. However, it seems that the permissions applied through OAuth2 differ from those available when using a Bearer Token, even though both should theoretically provide access to the same API resources.

I’ve noticed this behavior specifically on the /users endpoint, while most others do not seem to have this issue. For now, I have a hybrid setup using OAuth2 for most flows and falling back to PAT when necessary.

Is there something I might be configuring incorrectly, or is there an additional scope/setting required for OAuth2 to access the /users endpoint?

Stephen..