MasterData class fails to create/update documents

[josefo727]

Description

I’m facing a consistent issue when trying to create or update documents in MasterData using the MasterData class from the @vtex/api package (version 6.48.0). Despite correctly extending the MasterData class, I cannot manipulate (create, update, or delete) records in a MasterData entity unless I set all fields in the entity to "Public access" (enabling "Allow editing without credentials" in the VTEX UI). This is not a secure practice and severely limits functionality in production environments.

Steps to Reproduce

1. I extend the MasterData class in my Node.js service as follows:

   import { InstanceOptions, IOContext, MasterData } from '@vtex/api'
   
   export class Registers extends MasterData {
     constructor(ctx: IOContext, options?: InstanceOptions) {
       super(ctx, {
         ...options,
         headers: {
           ...options?.headers,
           VtexIdclientAutCookie: ctx.authToken
           // 'X-VTEX-API-AppKey': appKey,
           // 'X-VTEX-API-AppToken': appToken,
         },
         // verbose: true,
       })
     }
   
     // Methods like createDocument, updatePartialDocument, etc.
   }

2. I attempt to create or update a document in a MasterData entity (e.g., SP for StorePickup) using methods like createDocument or updatePartialDocument:

   await this.createDocument({
     dataEntity: 'SP',
     fields: { id: 'test', field: 'value' },
   });

3. I consistently receive an HTTP 403 (Forbidden) error unless I enable "Allow editing without credentials" in the entity configuration in the VTEX UI.

Expected Behavior

I should be able to create or update documents in MasterData using:

• The VtexIdclientAutCookie token provided by IOContext.authToken.
• Optionally, headers X-VTEX-API-AppKey and X-VTEX-API-AppToken for authentication.

This should work without requiring "Allow editing without credentials," respecting the access policies defined in my app’s manifest.json, such as:

{
  "policies": [
    {
      "name": "outbound-access",
      "attrs": {
        "host": "api.vtex.com",
        "path": "/api/dataentities/*"
      }
    }
  ]
}

Current Behavior

• With VtexIdclientAutCookie in the headers, I receive a 403.
• With X-VTEX-API-AppKey and X-VTEX-API-AppToken (uncommented in the constructor), I also receive a 403.
• However, when testing the same appKey and appToken outside the service (using Postman or a direct HTTP request), operations in MasterData work correctly, indicating that the issue is not with the credentials themselves or their roles, but with how @vtex/api handles authentication or policies.

Additional Context

• I’m working on a Node.js service using @vtex/api within a VTEX app.
• The version of @vtex/api I’m using is 6.48.0.
• The issue persists even with correctly configured policies in manifest.json and a valid IOContext provided by VTEX.
• Enabling "Allow editing without credentials" resolves the issue but compromises security by making the data publicly accessible, which is not viable in production.

Impact

This issue blocks the core functionality of my app, as I cannot manage MasterData securely and programmatically from the service. Forcing the use of "Allow editing without credentials" is not a sustainable solution, and using VTEX’s raw API with appKey/appToken outside of @vtex/api is a temporary workaround that defeats the purpose of using this library.

Question

Is there a correct configuration or approach I’m missing to manipulate MasterData data from a service using @vtex/api? Could there be a bug in the MasterData implementation or in how authentication is handled with VtexIdclientAutCookie or appKey/appToken?

Notes

• I’ve reviewed the @vtex/api documentation and examples in the repository but found no clear solution to this issue.
• If needed, I can provide detailed logs, the full manifest.json, or the schema of the affected entity to aid in debugging.