What is the permissions scope required for getting invoice by ID through the API?

I have an account specifically for using the REST API. This account can successfully GET /invoices. However, if I send a GET to /invoices/{id}, I get:

{
  "error": {
    "code": 401,
    "message": "Unauthorized: Access not allowed for login api"
  }
}

This user has Create, Read, Update, and Export permission for invoices. I’ve also added permissions for some possibly related things, like Vendors, Payments, etc. I’m not sure what specific permission is required to fetch invoices by ID. It also can’t fetch lines per invoice id, payments per invoice id, etc.

Hm, the permission may be

Extend access to all third parties AND their objects (not only third parties for which the user is a sale representative).
Not effective for external users (always limited to themselves for proposals, orders, invoices, contracts, etc.).
Not effective for projects (only rules on project permissions, visibility and assignment matters).

As I’ve just toggled this and am now able to get invoices by id, invoice lines by invoice id, and invoice payments by invoice ID.