I just created a new API token and I’m getting FORBIDDEN on all my production requests. Why is that? I couldn’t find permissions anywhere to change the scope of my token either.
Is the location_id you’re using in the request sandbox or production? 
that fixed it, thanks. I wonder why when I switch the toggle to prod it doesn’t reset to empty?
Glad that fixed it. I’ll definitely pass that on to the team.