New API user, help with view-based POST

I'm a long time Knack Builder user experimenting with the API. I'm trying to create a simple record using a view-based POST with the following code in the Builder's custom Javascript window. Both the triggering form (view 258) and the POST form (view 259) are in the same scene, which requires a login.

When I run the code below I get this 403 error. It appears that the Authorization token is invalid, but why? I'm sure it's something simple but I can't figure it out. If I do an Object-based POST, it works fine. But I don't want to do that.




{"readyState":4,"responseText":"Invalid token provided. Please reauthenticate.","status":403,"statusText":"Forbidden"}


var app_id =;

$(document).on('knack-form-submit.view_258', function (event, view, record) {
var user = Knack.getUserToken();
var headers = { "X-Knack-Application-ID": app_id, "Authorization": user, "Content-Type":'application/json'};

var url = '';

var data = { field_245: 'A Random Book',
field_246: 'Joe Author'};

url: url,
type: 'POST',
headers: headers,
data: JSON.stringify(data),
success: function(response) {
error: function(response) {



@Camiille    Maybe.. it also might be a bug that has been frustrating me ever since the last security update.

I've found that there can often be a discrepancy between the permissions which are evident in the browser and those in the API responses. ie sometimes it says you're logged in with a valid token and have access to a view but the api will return forbidden.

Normally, logging out and back in to refresh to token will get it working again. It's incredibly frustrating.

I've taken to adding an error handler to each call with an alert that prompts the user to log out / back in if the response code  is 403. I'm thinking of expanding that to redirect to a log out view & click log out and boot them out of the system so they have to refresh their token.

I did finally get this to work. The only thing I changed was to pass the header args directly, rather than as the var headers. Maybe it was something to do with scope and the asynchronous AJAX call. Who knows, but it works now so I'm good with it.

headers: { "X-Knack-Application-ID":, 
"Authorization": Knack.getUserToken(),

It also seems a little confusing on the developer docs which explain the view based request, as the required headers are different than the headers included in the curl command directly below it.  

I've been dealing with the same issue over the past couple of days.  It seems like there's probably something simple I'm missing, but can't seem to figure out what it is.  And yes, the object based request works fine.  Also, the view based request also works, if I remove the login requirement from the page, and remove the Knack.getUserToken() from the header.  Both of those submit the data and work great.  But on the view based request, as soon as I add the login, and the Authorization token, I also get a 403 response:

{"readyState":4,"responseText":"Invalid token provided. Please reauthenticate.","status":403,"statusText":"Forbidden"}

I'm using an AJAX request, which looks similar to yours, and I've also removed and tested other variables, and it must be related somehow to the user token, but no solutions yet.