I'm running a Fusion 360 Design Automation workitem (signed activity, 3LO-token POST). The workitem POST is accepted (HTTP 200), download phase succeeds, then the job immediately fails at "Getting token" with:
TASK_ERRORCODE_BEARER_TOKEN_GENERATION_FAILURE:
The requested scope is invalid, unknown, malformed,
or exceeds the scope granted by the resource owner.
Workitem status ends failedInstructions. The TaskScript never executes — no adsk.log entries appear in the report.
This is a different sub-variant of this SO thread, where the message was missing required parameter 'subject_token' (empty/invalid PAT). My PAT is present and valid; the DA service rejects its scopes.
What I have verified
| # | Check | Result |
|---|---|---|
| 1 | PAT exists at profile.autodesk.com/Security, Application scope = Fusion Automation API (the only Fusion-related scope currently offered in the dropdown; the aps-configurator-fusion sample docs still reference an older name Design Automation for Fusion, which appears to be a rename of the same product) |
ok |
| 2 | PAT regenerated three times, three different tokens tried — same error | ok |
| 3 | App owner and PAT user are the same Autodesk account (mirko.mertens@floetotto.de), verified via the Collaborators tab on the app in aps.autodesk.com |
ok |
| 4 | All 23 APIs are subscribed on the app in the APS dev hub, including Automation API, Data Management API, User Profile API |
ok |
| 5 | Two active APS Pay as You Go subscriptions assigned to the Flötotto team (one assigned about two weeks ago, the second assigned during this troubleshooting session) |
ok |
| 6 | The same 3LO token used for the workitem POST successfully browses hubs, folders and file versions via the Data Management API; the Fusion file URN resolves correctly | ok |
| 7 | Activity created and signed via aps-da-cli. Workitem POST returns 200, signedId is accepted by APS — so the activity definition and signature are valid |
ok |
| 8 | Fusion Team hub admin console has no Custom Integration provisioning section (that exists only for BIM 360 / ACC accounts; not applicable for Fusion Team hubs) |
n/a |
Everything I can independently verify checks out. The DA worker still refuses to mint a hub-scoped bearer token from the PAT.
Reference details
- Client ID (app):
wxiCRG7srLmiRUlpBUN7KzWGa6WUVwjeoLoboeE3eURYpxHk - App name:
Konfigurator - App owner:
mirko.mertens@floetotto.de - APS Dev Hub (where the app is registered):
Flötotto Hub, urnurn:adsk.ace:prod.hub:9a7cc9bc-6cdf-42d1-9004-5c396d227f3d - DA Nickname:
floetotto_aps - Activity:
floetotto_aps.ScriptJob+prod - Engine:
Autodesk.Fusion_Latest!191 - Target data hub (
hubIdinTaskParameters):a.YnVzaW5lc3M6ZmxvZXRvdHRv(Flötotto Fusion Team / Business Hub; my user is a member) - PAT Application scope:
Fusion Automation API - Application Type (app settings): Traditional Web App
- Grant Type (app settings): Authorization Code and Client Credentials
Failing workitem IDs
All four show the same Getting token -> TASK_ERRORCODE_BEARER_TOKEN_GENERATION_FAILURE sequence, with three different PATs (verified via different Masked: hashes in the reports):
d0b3e230ad7745d5877f820fec4df817(2026-05-19 23:03 UTC)ebb85ba063e243fa934a9c47a910c8f6(2026-05-19 22:11 UTC)050e4dd9e4824c66b5ec38046768d5be(2026-05-19 22:11 UTC)f3b9843e5f2f4d13bb86b6eda217282f(2026-05-19 21:45 UTC)
Workitem POST body (relevant parts, sensitive fields redacted)
Endpoint and auth:
POST https://developer.api.autodesk.com/da/us-east/v3/workitems
Authorization: Bearer <3LO-token of user mirko.mertens@floetotto.de>
Content-Type: application/json
Request body:
{
"activityId": "floetotto_aps.ScriptJob+prod",
"signatures": { "activityId": "" },
"arguments": {
"PersonalAccessToken": "",
"TaskParameters": "{\"fileURN\":\"urn:adsk.wipprod:dm.lineage:mmwJWfrWSoiHVLXCTkf3Bw\",\"hubId\":\"a.YnVzaW5lc3M6ZmxvZXRvdHRv\",\"fileSuffix\":\"...\",\"parameters\":{\"Breite\":\"1400 mm\",\"Tiefe\":\"800 mm\"},\"features\":{}}",
"TaskScript": ""
}
}
The TaskScript is the standard sample script from autodesk-platform-services/aps-configurator-fusion, with only the documented doc.dataFile.name -> file.name fix applied. That detail is irrelevant here because the script never starts running.
Question
The DA worker token-exchange path is opaque to me as a developer. What additional provisioning is required so that a Fusion Automation API PAT can be exchanged for a hub-scoped bearer token when the workitem targets a Fusion Team hub?
Specifically:
- Are there scopes that
Fusion Automation API(the only Fusion scope currently offered in the Profile-PAT dropdown) does not grant, which the DA token endpoint requires? - Does my Autodesk user need a role or permission on the target Fusion Team hub
a.YnVzaW5lc3M6ZmxvZXRvdHRvbeyond plain membership? - Could there be a Token Flex routing issue where the subscription is assigned to the wrong team scope?
Happy to provide more diagnostics. Glad to also share the full DA report JSON privately if helpful (can email via the dev portal channel).