Skip to main content
hamburger menu
+ Create a topic
Answer

How to create share link using API

  • May 6, 2025
  • 8 replies
  • 75 views
D
Forum|alt.badge.img+2

I try to create a share link using the API
 

curl --request POST \
     --url https://api.lucid.co/documents/<MY DOC ID>/shares/shareLinks \
     --header 'Lucid-Api-Version: 1' \
     --header 'accept: application/json' \
     --header 'authorization: Bearer <MY KEY>' \
     --header 'content-type: application/json' \
     --data '
{
  "role": "editandshare"
}

I get 

​​​​​​​{
  "code": "accessForbidden",
  "message": "Access to this resource is forbidden",
  "requestId": "eb1ab5121051b735"
}

I have Team plan. The document was created by me using API https://developer.lucid.co/reference/createorcopyorimportdocument

What is wrong with my request?

Best answer by Michael B

Ah, that is on me.  The `auditLogs` script generates an `Account Token` which audit logs require. But, share links require a `User Token` (which most do).

 

 Remove the `account.audit.logs` scope and change this line: https://github.com/lucidsoftware/sample-lucid-rest-applications/blob/main/audit-logs-ingestor/oauth2.py#L69 to be:

authorize_url = "https://lucid.app/oauth2/authorize

 to generate a ‘User Token’

 

Additionally, I’ll fix the error message. It should say: "code": "userOperationOnly"

Comments

D
Forum|alt.badge.img+2
  • dyashuni
  • Author
  • May 6, 2025

I created this document using API https://developer.lucid.co/reference/createorcopyorimportdocument

Michael B
Forum|alt.badge.img+4
  • Michael B
  • Lucid product team
  • May 6, 2025

Unfortunately, https://developer.lucid.co/reference/createdocumentsharelink does not accept API keys. For security purposes, a share link must correspond to an OAuth2 client.

Generating an OAuth2 token can be found here: https://developer.lucid.co/reference/using-oauth-20.  Additionally, an example of a python script that helps get and refresh OAuth2 tokens can be found here: https://github.com/lucidsoftware/sample-lucid-rest-applications/tree/main/audit-logs-ingestor (the audit log specific stuff being irrelevant here)

D
D
Forum|alt.badge.img+2
  • dyashuni
  • Author
  • May 6, 2025

Thank you ​@Michael B , let me check it!

D
Forum|alt.badge.img+2
  • dyashuni
  • Author
  • May 6, 2025

@Michael B 
I got access token using authenticate function from 
https://github.com/lucidsoftware/sample-lucid-rest-applications/blob/main/audit-logs-ingestor/oauth2.py
But when I use the token

import requests

url = "https://api.lucid.co/documents/<MY DOC ID>/shares/shareLinks"

payload = {
    "role": "editandshare",
    "linkSecurity": {
        "restrictToAccount": True,
        "allowAnonymous": True
    }
}
headers = {
    "accept": "application/json",
    "Lucid-Api-Version": "1",
    "content-type": "application/json",
    "authorization": "Bearer <MY OAUTH2 ACCESS TOKEN>"
}

response = requests.post(url, json=payload, headers=headers)

print(response.text)


I get

{
  "code": "accountOperationOnly",
  "message": "Only OAuth2 clients can perform this operation on behalf of a user",
  "requestId": "1aabcd2f027b6732"
}

What is the issue?

D
Forum|alt.badge.img+2
  • dyashuni
  • Author
  • May 6, 2025

actually I slightly changed the python code, I use the following scope when I request the code from redirect URL:
"&scope=account.audit.logs+offline_access+lucidchart.document.content.share.link+lucidchart.document.app.picker.share.link"

Michael B
Forum|alt.badge.img+4
  • Michael B
  • Lucid product team
  • Answer
  • May 7, 2025

Ah, that is on me.  The `auditLogs` script generates an `Account Token` which audit logs require. But, share links require a `User Token` (which most do).

 

 Remove the `account.audit.logs` scope and change this line: https://github.com/lucidsoftware/sample-lucid-rest-applications/blob/main/audit-logs-ingestor/oauth2.py#L69 to be:

authorize_url = "https://lucid.app/oauth2/authorize

 to generate a ‘User Token’

 

Additionally, I’ll fix the error message. It should say: "code": "userOperationOnly"

D
D
Forum|alt.badge.img+2
  • dyashuni
  • Author
  • May 7, 2025

@Michael B Thank you, with

"linkSecurity": {
    "restrictToAccount": False,
    "allowAnonymous": False
}

works for me!

Michael B
Forum|alt.badge.img+4
  • Michael B
  • Lucid product team
  • May 7, 2025

Awesome. I’ll get a version of that helper script created that’s more endpoint agnostic (and ask the user which type of token they want).

Level up your skills & unlock exclusive perks!

Join Lucid Legends
Lucid Software Inc. Supplemental Community TermsAccessibility statement

Get Started

Products

Solutions

Resources

Company

Privacy Legal Cookie privacy choices Cookie policy
© 2025  Lucid Software Inc.