We’re experiencing a frustrating issue with our RPA bot integration. The bot triggers perfectly when executed manually through the AgilePoint API, but fails consistently with a 403 Forbidden error when run via scheduled execution.
Here’s the error we’re getting:
HTTP 403: Forbidden - Insufficient permissions
Endpoint: /api/v1/rpa/bots/execute
Scheduled Task: DailyDataSync_Bot
The service account has API permissions configured, and we’ve verified the OAuth token is valid. The same credentials work fine for manual API calls. We suspect it might be related to how scheduled tasks authenticate versus interactive sessions, but we’re not sure about the specific service account roles needed for scheduled execution. Has anyone encountered this permission discrepancy between manual and scheduled API triggers?
I’ll provide a comprehensive solution addressing all three key aspects: API permissions, service account roles, and scheduled execution configuration.
Service Account Role Configuration:
Navigate to Admin Console > Security > Service Accounts and ensure your scheduler service account has these specific roles:
- ‘RPA Bot Executor’ (required for bot triggering)
- ‘Scheduled Task Runner’ (required for scheduler context)
- Verify the account is not disabled or expired
API Permission Setup:
The critical issue is authentication scope. Update your OAuth application registration:
// Application permissions needed (not delegated)
rpa.bots.execute
scheduler.tasks.run
process.instances.read
Scheduled Task Authentication:
Modify your scheduled task configuration to use application credentials:
- In your scheduler configuration, specify the service account explicitly
- Use client credentials flow for token acquisition (not authorization code flow)
- Update the authentication header in your scheduled task:
POST /api/v1/rpa/bots/execute
Authorization: Bearer {app_token}
X-Scheduler-Context: service-account
Token Acquisition for Scheduled Execution:
Your scheduled task should acquire tokens using client credentials grant:
POST /oauth/token
grant_type=client_credentials
client_id={service_account_id}
client_secret={service_account_secret}
scope=rpa.bots.execute scheduler.tasks.run
The key difference: manual API calls work because they use YOUR user token with delegated permissions. Scheduled tasks must use application-level permissions with the service account principal. The 403 error occurs because your current setup is trying to use delegated permissions in a non-interactive context.
Verification Steps:
- Test token acquisition with client credentials flow
- Verify the token includes application permissions (decode the JWT and check ‘roles’ claim)
- Ensure the service account has both required roles assigned
- Update scheduler task to use the service account context header
After implementing these changes, your scheduled bot executions should authenticate properly using application permissions rather than attempting delegated user permissions, which resolves the 403 Forbidden error.
Be careful with role accumulation. For scheduled RPA bot execution, you need ‘RPA Bot Executor’ and ‘Scheduled Task Runner’ at minimum. The ‘Process Automation Service’ role is broader and includes permissions for process instances, which may not be necessary if you’re just triggering bots. I’d recommend starting with the two specific roles and testing. Also, ensure your OAuth token scope includes ‘rpa.execute’ and ‘scheduler.run’ scopes when the scheduled task authenticates.
This is definitely a service account role issue. In AgilePoint, scheduled executions require the service account to have both API access AND the ‘Process Initiator’ role at minimum. The 403 error suggests your service account can authenticate but lacks authorization for scheduled bot execution. Go to Admin Console > Security > Service Accounts and verify the account used by your scheduler has the ‘RPA Bot Executor’ role assigned. Also check if there are any IP restrictions on the service account that might block scheduler service requests.
One thing that caught me before: scheduled tasks in AgilePoint use a different authentication flow than interactive API calls. Interactive calls use delegated permissions (your user context), while scheduled tasks use application permissions (service principal context). Make sure your OAuth app registration includes application-level permissions, not just delegated ones. The token acquisition method differs too - scheduled tasks can’t use interactive login flows.