After you have linked the API or the specific API endpoints to the Access Manager scopes, you must modify the application, service, or client that makes the call to the APIs stored in the API Gateway. The OAuth2 protocol refers to the application, service, or client as a client.
If you do not modify the client, when a user tries to use the client, they receive a 401 or 403 error. The 401 error means that the token is invalid or missing. The 403 error means that the token is valid but it is missing the required scope or role for the endpoint. Both errors mean that the client is missing the access token from the OAuth2 request or that the current access token is invalid. To ensure that the users do not receive the 401 or 403 errors you must add an Authorization Code to the client.
When you add the Authorization Code to the client, it builds an Authorization Code OAuth profile request to initiate user login to obtain an access token. If the API endpoint requires a scope, you must add the name of the Access Manager scope in the body of the request. For more information, see the OAuth 2.0 Authorization Code Grant website.