Any help with this would be appreciated, 

Thank you  

I will explain the scenario that I have, so maybe this would be more clear  

So I have this use case where an Integration application should track meetings within the organization, based on the fact of specific users being invited to the meeting. 

The structure would be like: 1 integration application, 5 users that are being invited to WebEx meetings. The integration application must track such meetings, read its participants, etc. 

I have noticed that it works just fine if the integration application is accessing meetings of the user, on behalf of which the integration app was created. But for all other users - it is able to list the meetings through meetings API, but it is unable to read such meetings details and meeting participants, regardless of whether the meeting is set to "publicly listed" or not. 

So I was wondering, if this is only meeting host<>integration app that this scenario would work for, or is there other way to elevate integration app permissions, so it has access to all meetings and participants (at least ones that are publicly listed, but not have app creator as a meeting host)

(For instance, trying to read listed meeting works fine, but trying to access its participants ends up with an error - "The server understood the request, but refused to fulfill it because the access token is missing required scopes or the user is missing required roles or licenses.", even though the application has the meeting:admin_participants_read scope added and authorized by the admin. Is there other scope(s) that should be used for other scenario?)

 Thank you

We would need trackingIds from the failed request to look into this further. An org full admin should be able to pull all meeting and participant details for any meetings hosted by members of their org, they would just need to define the hostEmail with the host of the meeting. Can you send the details of your requests and the trackingds for failed requests to devsupport@webex.com?

Hi @Jeff Marshall 

Sorry, I think I might've been a bit unclear on this one, let me explain: 

Currently, my work account isn't full organization admin. I have used it to create an integration application with meeting:admin_participants_read scope, authorized by the organization admin. 

What I would expect by doing so, is for my integration application to being able to access all meetings in the organization. However, I am unable to retrieve such meetings details and participants, with the following error: 

{"message":"The server understood the request, but refused to fulfill it because the access token is missing required scopes or the user is missing required roles or licenses.","trackingId":"ROUTER_64393B69-3F2C-01BB-013C-AC12DD94013C"}

So the question is - is it because my user, on behalf of which the integration app was created, isn't full organization admin (currently it's elevated to Advanced Troubleshooting), or for some other reasons? 

And would it potentially work if the integration app is created by full organization admin instead? 

The scopes that are granted atm are "spark:kms meeting:schedules_read meeting:participants_read meeting:admin_participants_read meeting:admin_schedule_read" (as per https://webexapis.com/v1/access_token response, which means that :admin ones were authorized by the full org admin)

Thank you   

It doesn't matter who creates an integration. When a user authorizes with an integration, regardless of who created it, their roles within their own org are checked before scopes are applied to the token. If they're missing a required role for specific scopes that were requested then those scopes simply won't be applied to the token. I can confirm from the trackingId that the user that made the request is a full admin of their org. What I can't see is if the token used actually has the correct scopes applied to it, would need the token to validate it and verify what scopes were actually assigned. I did test listing meeting participants for a listed meeting that was inProgress and after it had ended that was owned by another host and it did return the participants correctly for the admin that made the API requests. I tested using the token generated by the dev portal. What are the exact scopes that you have selected on your integration? We can try to reproduce using a token generated by an integration once we know all of the scopes that you have selected on your integration so we can mimic it.

Sure, this would be very helpful. 

What information do you need then? (that is safe to share here) 

I can confirm that the applied scopes are "spark:kms meeting:schedules_read meeting:participants_read meeting:admin_participants_read meeting:admin_schedule_read", as these are the scopes that were provided in a token generation response (based on refresh token, the access/refresh tokens are obscured for security reasons):

{
   "access_token":"******",
   "expires_in":1209599,
   "refresh_token":"******",
   "refresh_token_expires_in":7770591,
   "token_type":"Bearer",
   "scope":"spark:kms meeting:schedules_read meeting:participants_read meeting:admin_participants_read meeting:admin_schedule_read"
}

 The endpoint I'm using for participants retrieval is 

/v1/meetingParticipants?meetingId={meetingId}

Thank you

Oh, yes, this was it! My problem was that I haven't included hostEmail qs parameter. Interestingly, that it worked for the meetings that my user is a host of. 

Yes, this is how I use it in terms of ids and meetingTypes so far. Everything seems to work fine on that front, so my real issue was missing hostEmail qs parameter, I have probably missed it in the documentation...

But the issue seems to be resolved now, thank you so much for the help!  

Happy to help!