Attempted access to unauthorised API version

Hello there

I am making this request to local Tyk gateway

    "error": "Access to this API has been disallowed"

From the log, it seems to be some versioning error
```time="Dec 28 11:15:48" level=info msg="Attempted access to unauthorised API version." api_found=true key=5860f3745841150001f7ff3db7c65d169cde465c6df2c99eab5ac2fa origin= path="/parcel/v1/" version_found=false
time="Dec 28 11:15:48" level=error msg="request error: Access to this API has been disallowed" api_id=6a0bb985b06d467243c78b6ab21d0826 org_id=5860f3745841150001f7ff3d path="/v1/" server_name="" user_id="****c2fa" user_ip=```

I couldn't figure out what was wrong with my following config.

```    "version_data": {
        "not_versioned": false,
        "versions": {
            "v1": {
                "name": "v1",
                "expires": "",
                "paths": {
                    "ignored": [],
                    "white_list": [],
                    "black_list": []
                "use_extended_paths": true,
                "extended_paths": {
                    "virtual": [
                        {"response_function_name": "ParcelCRUDPost",
                         "function_source_type": "file",
                         "function_source_uri": "/opt/tyk-gateway/middleware/virtual_endpoints/ParcelCRUD_post.js",
                         "path": "",
                         "method": "POST",
                         "use_session": true}
                "global_headers": {},
                "global_headers_remove": [],
                "global_size_limit": 0,
                "override_target": ""

Does your token grant access to the apibversion v1? Can you share it please

Hi Martin,

Here is how I am generating the access token

curl -X POST -d "grant_type=client_credentials" -u a8535d2614af455f7c3cd429789646db:NDRlMDI2NDctMTlmMS00MzM2LTU1ODMtYWY5MDQ5ZWVjYjNl

I was planning to have one central API to issue all these access token. It has just occurred to me that the assumption might not have been correct?

Yes you can do that, the client ID you are using to generate this token from will have a section that defines the policy to attach to tokens (this grants access rights) or alternatively you need to pass a key_rules request parameter that specifies the session object to use, there’s OAuth docs here that might clarify things a bit:

Haha this is a catastrophic failure. I have just realized the Add button in access right box is just an UI thing and doesn’t really save anything until the update button is clicked, a few scroll away. All good, just false alarm. Thanks Martin for the support.