403 Forbidden but not in Postman

Keegan · July 3, 2024, 4:59am

I’m trying to call the Patreon API from my Cloudflare worker.

Here’s my code block:

		const url = `https://www.patreon.com/api/oauth2/v2/identity`;
		const responseTest = await fetch(url, {
			headers: {
				Authorization: `Bearer ${c.env.PATREON_CREATORS_ACCESS_TOKEN}`,
				'User-Agent': 'PostmanRuntime/7.39.0',
				Accept: '*/*',
				'Accept-Encoding': 'gzip, deflate, br',
				Connection: 'keep-alive',
			},
		});

I copied the headers over from Postman, where the request works. The above request works as well, but it requires this line in the headers 'User-Agent': 'PostmanRuntime/7.39.0' which feels wrong to me.

Without that entry in the headers, I receive 403 Forbidden error.

Can someone help me understand why this is necessary and what I could replace it with so that my app works? What am I doing wrong here?

Duke · July 3, 2024, 7:41am

I am having the 403 issue since yesterday (Forum post) (before that, everything worked great for days), so I assume it is an issue on Patreon’s side (I contacted support some hours ago).

Setting the user agent to Postman works for me as well, so thank you for mentioning this workaround!

Mike_Cross · July 3, 2024, 9:26am

+1 to the thanks for the postman user-agent workaround, it resolved my error too.

@Keegan if you ever get as response as to why this is needed (or when it is no longer needed) please post!

Keegan · July 3, 2024, 1:49pm

Hey @Mike_Cross and @Duke I did a little more digging and found this: Cloudflare IM NOT A ROBOT blocking API?!? - #7 by Jackie_Bow

I noticed I was getting served a website response as well, so I’m assuming it is the same as this issue.

Turns out Patreon added a security feature to serve a robot check CAPTCHA to any request without the User-Agent header as it’s a signal that the request is coming from malware.

Works in Postman because Postman automatically generates the User-Agent header.

I searched the entire API documentation for the word “User-Agent” but nothing return. This should really be included in the docs!

I haven’t tested yet but I believe any value for the header should work. Something like “node” or “Cloudflare-worker” is probably fine but again need to test!

Keegan · July 3, 2024, 1:51pm

Weird that it was working last week though and my server just start getting the 403 yesterday. The post I shared is from 2020.

Mike_Cross · July 3, 2024, 8:44pm

Nice find @Keegan. I can confirm that putting anything at all in the user agent string works.

Like you, I’m baffled as to why it’s only caused in issue in the last 24 hours though ¯_(ツ)_/¯

Topic		Replies	Views
Cloudflare IM NOT A ROBOT blocking API?!? API Feedback	10	2742	January 14, 2020
403 - Action Required Cloudflare block for API calls	3	80	August 29, 2024
Cloudflare Challenge On https://www.patreon.com/api/oauth2/token Friendly Help	7	3496	January 19, 2020
API endpoint calls suddenly started returning 403 from Cloudflare API Feedback	0	80	July 3, 2024
Suddenly 403 for campaigns/members API Feedback	10	190	September 18, 2024

403 Forbidden but not in Postman

Related topics