Unable to create records with other users permissions

are we able to create records in collections with permissions of different user than the caller of this request? (with document security on) I have backend function in appwrite that manages this scenario, but I am getting 401 no matter how I configure the scopes in either function or collection

@Meldiron regarding this https://discord.com/channels/564160730845151244/564160731327758347/1432338675781337139

i am using x-appwrite-key from headers endpoint is: https://fra.cloud.appwrite.io/v1 project id is correct 100%

can you share your code with me? Ill see if I can spot any potential issue. (minimal, if possible)

Also, here is our starter function example, which uses server SDK to list users: https://github.com/appwrite/templates/blob/main/node/starter/src/main.js

x-appwrite-key starts with dynamic_..., so its good, when i decode it wiht base64 i can see scopes

that should make it work

hmm what else 🤔 Can you please print entire error, including body? I can then trace it to specific line of code in Appwrite

operation i am trying to do is a simple: createDocument call on databases

when using JWT based client in the function I was able to add only the permissions of the caller

when using x-appwrite-key based client in the function I was getting 401 always, no matter if I specified permissions or not

the error:

[ERROR] [Appwrite Error] user_unauthorized in createDocument:6839be33000b946e38df: The current user is not authorized to perform the requested action. (Code: 401) - Hint: User may not have permission to access this resource {"error":null}
[ERROR] Stack trace: AppwriteException: The current user is not authorized to perform the requested action.
    at _Client.call (file:///usr/local/server/src/function/node_modules/node-appwrite/dist/client.mjs:278:13)
    at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
    at async Databases.createDocument (file:///usr/local/server/src/function/node_modules/node-appwrite/dist/services/databases.mjs:1668:12)
    at async retryOperation.maxRetries (file:///usr/local/server/src/function/s {"error":null}
[ERROR] [rejectDeal] ❌ Rejection failed: The current user is not authorized to perform the requested action. {"error":null}
[ERROR] Error response {"error":{}}

insightful ✨ I know there is different error message for when you are authorized wrong, and when you are not authorized.

Makes me think it really knows dynamic key and project. 2 more ideas:

1. As silly as it sounds, can you please check if function settings it has scopes for documents.write?
2. As silly as i sounds, can you try and deploy your function again?

i added all possible scopes on the function, I also tried adding Any for all operations on the collection

after redeploying nothing changes, but check the response from the execution:

{
    "$id": "68ff6230419fee5e6221",
    "$createdAt": "2025-10-27T12:14:48.052+00:00",
    "$updatedAt": "2025-10-27T12:14:48.052+00:00",
    "$permissions": [
        "read(\"user:676ebcc50015b1257d4d\")"
    ],
    "functionId": "68fca905000adc9ea283",
    "deploymentId": "68ff620731fa17f48cc2",
    "trigger": "http",
    "status": "failed",
    "requestMethod": "POST",
    "requestPath": "\/",
    "requestHeaders": [
        {
            "name": "x-appwrite-client-ip",
            "value": "SOME_IP"
        }
    ],
    "responseStatusCode": 500,
    "responseBody": "{\"success\":false,\"error\":\"Failed to reject deal: The current user is not authorized to perform the requested action.\",\"type\":\"general_unknown\",\"correlationId\":\"req-mh93ohmk-ti4ncl\",\"processingTime\":762}",
    "responseHeaders": [
        {
            "name": "content-type",
            "value": "application\/json; charset=utf-8"
        },
        {
            "name": "content-length",
            "value": "202"
        },
        {
            "name": "date",
            "value": "Mon, 27 Oct 2025 12:14:48 GMT"
        },
        {
            "name": "connection",
            "value": "keep-alive"
        },
        {
            "name": "keep-alive",
            "value": "timeout=5"
        },
        {
            "name": "x-appwrite-execution-id",
            "value": "68ff6230419fee5e6221"
        }
    ],
    "logs": "",
    "errors": "",
    "duration": 2.9682960510254
}

i am not sure if document security on changes something here?

I dont think so, API key with documents.write should be able to createDocument no matter what.

How large is the source code for this function? Could you share it with me?

If you prefer not to, there is one more thing you can try. In Functions, go to create new function, and use Node's quick start.

This function should create execution and in execution logs say how many users your project has. If that works, you could update this starter to try and do some DB operations. Chances are here we can get a working solution, and then compare it with your function implementation

its quite large, with many files, so I will give your suggestion a try, if the issue persists I will let you know so maybe we can search in the actual source code