Short answer: No, I've been working with the sandbox API(s) for a week now; I get how they work, in spite of the documentation.
Long answer: I started by reading the documentation (shocking, I know). I don't think it's controversial to say that it really pounds home how you need to get a user's permission for the "/read-public" scope and use the access token, even with the public API. Yet pretty quickly I realized that you don't need an access token whatsoever for public data, so I thought I'd just confirm this with people who use the API to see if I was missing something.
I was expecting something along the lines of "Oh, yeah, the documentation's wrong; you don't need an access token for public data," or "Sort of, but there is a situation where you need to send the token otherwise you don't get public data... <goes on to explain this hypothetical scenario>," or "Yeah, it used to be that way but it changed," or maybe even "Holy crap, that's a bug; I can't believe we deployed our API with this massive security hole!", something that acknowledged the blatant difference between the documented and actual behavior.
As far as I can tell, an access token with the "/read-public" (or "/authenticate", which implicitly includes "/read-public") scope is completely useless. You can get users' publicly-available data without any access token whatsoever, and users can't revoke access to public data (without changing its visibility, that is).
If you're putting documentation corrections on your backlog, here are some more to add, if they're not there already:
I started out with the "
How does 3-legged OAuth work," which, in the first paragraph -- "Any integration can ask for read permissions using the Public API. ORCID
members can use the Member API to ask for update permissions." -- seems to indicate that public (i.e., non-member) credentials can be used to get read permissions (I would read this as including "/read-limited" permissions, basically everything but writing data, especially when followed by that second sentence) and that permissions for reading publicly-visible data could be revoked by the user. That really set me off on the wrong foot with a whole lot of misconceptions.
Method: GET
Accept: application/vnd.orcid+xml
Authorization type and Access token: Bearer [Stored access token]
URL: https://api.sandbox.orcid.org/v3.0/[ORCID iD]/recordThe authorization header is actually "Authorization: Bearer [access token]". It took me awhile to find the real header. The docs give an accurate "Accept" header on the line above. Why do they drop the ball with the "Authorization" header? This is all over the place in the "
info.orcid.org" docs.