Skip to main content
hamburger menu
+ Create a topic

Hi team,

I'm working with the Lucid Chart REST API, specifically on the Teams endpoints, and I’ve observed some unexpected behavior when authenticating via different user roles using OAuth 2.0.

 

Context:

  • I have two Lucid accounts in the same organization:

    1. An Account Owner (admin-level privileges)

    2. Developer Role account (non-admin, added as a tester collaborator in the OAuth 2.0 app)

  • I’ve registered an OAuth 2.0 app and generated two separate access tokens via Authorization Code flow, one for each user.

  • The developer role account has only teams + offline_access scope authorized, and is a member of only one team

Observations:

1. When using the developer’s token without setting the lucid-request-as header:

GET /teams
Authorization: Bearer <developer_token>

→ Returns a list of all teams in the organization, not just the one the developer belongs to.

2. Using the same developer token with:

GET /teams
Authorization: Bearer <developer_token>
lucid-request-as: user

→ Still returns all teams.

3. When trying to request the teams:admin scope with the developer role account:

→ The token request fails due to insufficient privileges, as expected.

 

Questions:

  1. Is this behavior expected when using an access token from a user with the developer role, added as a tester collaborator in the OAuth app?

  2. Should the /teams endpoint return all teams in the org for a user that only belongs to one team?

  3. How does the lucid-request-as header influence the /teams response in this case?

  4. Is there any recommended way to limit /teams results to only those the authenticated user has access to?

 

Appreciate your guidance to better align our integration with Lucid’s expected API usage.

Thanks!

 

Hi iobuildersatko,

Great questions. The intended behavior of /teams is that it returns all “teams the authenticated user has at least read-only access to” (from the docs). This does include all teams in the organization (or rather, all teams in the organization that are not set to hidden). This is intended, and matches the behavior in the UI: If you go to your Lucid dashboard, you should be able to see all non-hidden teams in your organization, even if your user is not an admin/doesn’t have admin permissions.

A notable detail is that /teams (as well as the Teams list in the UI) is not exposing the contents of teams, but merely their existence:

  • As a user without admin permissions, /teams allows you to view the existence of all non-hidden teams in your organization.
    • Other endpoints allow you access the contents of only the teams that either 1- you belong to, or 2- are set to open.
  • As a user with admin permissions, /teams allows you to view the existence of all teams in your organization, regardless of whether they’re hidden.

 

You will also likely be interested in the filter option for /teams: note in the docs that there is the option to include ?filter=include=memberonly, which will restrict the response to only teams of which the authenticated user is a member.

Lucid Software Inc. Supplemental Community TermsAccessibility statement

Get Started

Products

Solutions

Resources

Company

Privacy Legal Cookie privacy choices Cookie policy
© 2025  Lucid Software Inc.