Dear Matthew.
We are aware of this issue, and you are right that this functionality was available previously, with the old way of authenticating.
Background
Before switching to server-to-server apps, the only way to authenticate and get a token was using a 3-legged process. This process produces a 3-legged token and the token itself contains the user ID that was used to obtain the token (in addition to the clientID as well). When calling the /companies API, the API would extract the user ID from the token and return the companies (tenants) that the user is a part of. The response would contain the company IDs. This functionality was not removed, and it still works if you call the /companies API using a 3-legged token (https://aps-stg.autodesk.com/en/docs/oauth/v2/tutorials/get-3-legged-token/). However, obtaining a 3-legged token now requires an interaction with the user (entering user password) and is problematic if you write scripts (which most people do). This is the main reason we now recommed using 2-legged authorization with impersonation - it's much simpler and easier to use from scripts (script just needs a clientID and secret pair, and no intervention from a human is required).
However, as you correctly pointed out, this prevents the /companies API from working. The issue here is that the clientID represents an app, not a user, and is not associated to a company/tenant in the same way a user is.
Workaround
As a temporary measure, we have changed a way new API user is onboarded. After whitelisting is performed, Upchain support will contact the user with a notification that the clientID is whitelisted and provide the companyID (e.g. "Hey Matthew, your clientID xyz has been whitelisted and your companyID is 123."). This works for now, and I do not really agree that there is much room for human error here.
In addition to getting the companyID via support email, there are some non-user friendly/ugly ways to get companyId without asking support:
- log into swagger using a 3-legged process (with your user) and then call the /companies endpoint
- log in with your user to Upchain Web, and in the Network tab of Chrome every request will have the Upc-Selected-Company header - you can see the value of companyId there
Fix
I do agree that we should have an endpoint to obtain companyID from a clientID - we are in discussions how to design this, and the end result will be a fix for the /companies endpoint or a new endpoint to provide this functionality.