Oauthpartneruser::Readpartneruserinfo – Error Retrieving Intacct User: When integrating with Sage Intacct’s APIs and OAuth authentication, you may come across the error:
oauthpartneruser::readpartneruserinfo – error retrieving Intacct user
This error often surfaces when your application tries to fetch user details via the Intacct “readPartnerUserInfo” or similar endpoints, but the OAuth context or user permissions are not properly configured. The error indicates the system cannot locate or authorize the Intacct user associated with the OAuth credentials.
What Does “oauthpartneruser::readpartneruserinfo” Mean?
The prefix oauthpartneruser::readPartnerUserInfo refers to a function or operation in the Intacct partner / OAuth integration that attempts to retrieve information about a user connected under OAuth (such as user name, company, roles, etc.).
When the call fails with “error retrieving Intacct user”, it means:
- The user credentials or context used in the OAuth call cannot be mapped to a valid Intacct user.
- The OAuth partner integration is trying to read “partner user info” but the target user data is missing or inaccessible.
- There is likely a misconfiguration in the OAuth / Web Services / User setup in Intacct.
In short, Intacct is saying: “I don’t recognize the user you’re asking about (or I can’t fetch their info under your current credential).”
This is different from a pure token or credential error — it implies you got past token issuance (or at least are making a user-info request) but fail at the user lookup phase.
Why This Error Occurs: Common Causes
Below are the frequent root causes that lead to this error in Intacct API / OAuth integrations:
1. Missing or Improper Web Services / Partner User Setup in Intacct
To allow API access, Intacct requires that the API / Web Services user be created or authorized. If the OAuth partner user is not properly mapped to a valid Intacct user (Web Services user), the system cannot “read user info.”
2. Client ID / Secret / Application Not Authorized
Even if the OAuth token step succeeds, the client application must be registered and authorized in Intacct’s App Registry or in the partner settings. If the application is not permitted to read user info, calls like readPartnerUserInfo will fail.
Many developers report errors earlier such as "The Client ID, Client Secret, and/or 3rd Party Application are incorrect" when doing Intacct REST API token calls.
If your app is allowed to get tokens but not allowed to call user info endpoints, that discrepancy can lead to this error.
3. OAuth Grant Type or Scope Misconfiguration
If you’re using a grant type (authorization code, client credentials) that doesn’t include the proper scope or user context, then the partner user info endpoint lacks the necessary rights.
For instance, using client credentials without associating an Intacct user to the client may lead to a “no user to read” scenario.
4. Permissions / Role Limitations on the Intacct User
Even if the user exists, they may lack permissions to allow the application to read their profile or partner user info. Intacct’s permissions model can restrict access to certain modules or API endpoints, causing the lookup to fail.
5. Mismatch of Company / Entity / User Context
Intacct may require the correct company ID, entity ID, or user ID context in the API request. If any of these are incorrect or missing, the user info endpoint may not find a match.
How Intacct’s OAuth / Partner User Model Works
To better troubleshoot, it’s important to understand how Intacct handles OAuth + partner users:
- Sage Intacct supports OAuth 2.0 for integrations, where a client app (partner / third-party) is registered with a Client ID / Secret.
- Under OAuth, you may have a partner user configuration, which maps the external app’s user to an Intacct Web Services user.
- The readPartnerUserInfo (or similar internal method) is called to fetch metadata about the user under the OAuth context.
- The Intacct user (Web Services user) must have the proper permissions / roles / access in the target company and modules.
- The OAuth client must be authorized in the Intacct application registry, and the Intacct side must “allow” the client ID and link it with the Web Services user.
If any link between these pieces is missing or misconfigured, the error will arise when the user info lookup is attempted.
Troubleshooting Step by Step
Here’s a systematic approach to fix oauthpartneruser::readpartneruserinfo – error retrieving Intacct user:
1. Validate OAuth Token Acquisition
- Ensure your Client ID and Client Secret are correct. Some earlier errors relate to invalid client credentials.
- Confirm the OAuth grant type in use (authorization code, client credentials, etc.) and that you have requested proper scopes.
- If token request fails, address that first before user info calls.
2. Check Partner / App Registration in Intacct
- Log into Intacct’s Developer / App Registry console. Ensure your client app is registered.
- Confirm that readPartnerUserInfo (or user info endpoint) is allowed for your app.
- Some apps require adding the client ID into an “allowed list” or configuring the partner linking.
3. Create / Assign a Web Services User in Intacct
- Under Intacct, create or confirm a Web Services user that corresponds to the external user.
- Assign proper roles, permissions, and modules access to this user (including API / data access).
- Ensure that the Web Services user is linked to the client application (if required in your setup).
4. Check Permissions & Roles on the Intacct User
- In Intacct, navigate to Users → Permissions / Roles and verify that the user has access to required modules.
- Confirm they can List / View / API access for user metadata endpoints.
- If a role is missing or incorrectly configured, correct it.
5. Review Entity / Company / User Context Parameters
- Ensure your API request includes correct company ID, entity ID (if needed), and user ID.
- If your request is defaulting to a wrong or empty company context, the user info lookup may not find anything.
- Try specifying entity explicitly, or test with minimal contexts to isolate mismatch.
6. Test with Minimal User & Client Setup
- In a test environment (sandbox), create a simple client app + web services user with broad permissions.
- Make the
readPartnerUserInfocall. If it succeeds there, the issue in production is likely configuration differences. - This helps isolate if your production setup has missing permission or configuration.
7. Capture & Inspect API Responses & Logs
- Use API debugging tools or logs to see the full request and response. The error message might include additional info.
- Check whether the HTTP status code is 401, 403, or 400 which may indicate permission or bad request issues.
- See whether “user not found” or “access denied” appears in error details.
8. Escalate to Intacct Support if Configuration Seems Correct
Once you’ve validated app registration, user setup, permissions, and request parameters, but the error still persists, open a support case with Sage Intacct.
Provide them your client ID, user ID, error messages, request logs, and mappings for troubleshooting.
Best Practices & Preventive Tips
To avoid encountering this error in the future (or minimize it), follow these best practices:
- Use consistent naming and mapping: Keep your OAuth application, Web Services user, and user IDs aligned clearly so mappings are easy to audit.
- Document permissions & roles for users used in API integrations, and keep them minimal but sufficient.
- Use sandbox testing of your OAuth + user info calls before deploying to production.
- Monitor logs and errors early (e.g. set alerts on “user info lookup failed”) so you catch issues proactively.
- Maintain version alignment: If Intacct changes endpoint versions or deprecates features, ensure you update your integration.
- Use explicit entity/company context in requests to avoid ambiguity.
- Guard credentials carefully: If multiple clients or environments exist, avoid mixups of Client IDs / Secrets between environments.
If you like, I can also prepare a cheat sheet diagnosing specific variants of this error (e.g. “user not found,” “permission denied,” “invalid client”) as they appear in Intacct logs.
