Failure to access the list of forms of a project using the ACC API with a two-legged OAuth token is expected behavior, according to how Autodesk authentication system was designed. HTTP 401 “Unauthorized” error with the “Authorization failed” message indicates that the token does not have the necessary permissions to access this specific resource. Although the two-legged token works correctly in other ACC APIs, the Forms API has a different requirement: it needs a three-legged token, as forms-related operations are directly linked to permissions and the context of a user within the project.

Two-legged token represents only the application and not a specific user, which limits access to features that require user-level authentication. On the other hand, the three-legged token is obtained by explicit authorization from an end-user and allows the application to act on behalf of this user, respecting the permissions defined in the ACC project. Therefore, even if the two-legged token works well for endpoints dealing with more generic data, it is not enough to access information that requires connection with a human user's account, such as forms.

Unfortunately, so far, Autodesk has not announced support for two-legged tokens in the Forms API. This limitation is related to the Autodesk Construction Cloud security architecture, which prioritizes the traceability and individual responsibility of each action within a project. As forms usually involve compliance, security, inspections, or field records, it makes sense that access to them depends on an authenticated user context.

For integrations that cannot use three-legged tokens, this restriction really imposes a challenge. In many cases, the only viable alternative is to re-evaluate the authentication flow using a service user or a dedicated account to carry out the initial authorization and, from that, store and renew the three-legged token in a controlled manner. Although this requires more complexity in the integration process, it is currently the only compatible way to access the Forms API.

For now, there is no official prediction of when — or if — Autodesk intends to allow the use of two-legged tokens in this API. The most recommended is to monitor updates of official documentation and APS forums (Autodesk Platform Services), where ads and support changes are usually published. This is a limitation widely recognized by the community, and several development teams have already requested Autodesk to reassess this policy, especially for automation cases without direct user interaction.

In short, the 401 error is not related to a technical problem in authentication, but to a deliberate limitation of API design. The Forms API requires a three-legged token to ensure the association of actions with an authenticated user, and so far there is no support or forecast for the implementation of two-legged tokens for this endpoint.