https://community.developer.cybersource.com/t5/cybersource-APIs/Sandbox-tokenization-returning-403-Forbidden-using-Node-js-SDK/m-p/94683#M4012 <H6><SPAN>I hit the same 403 problem a while back and it drove me nuts because the sandbox gives you zero useful error info. What finally fixed it was checking the boring setup details instead of the code.</SPAN></H6><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><P>For me the sandbox only accepts Flex keys for tokenization. I was sending requests with my normal API keys and the sandbox just kept throwing 403 with no hint why. The other thing that tripped me up was the merchant ID not matching the key file I downloaded. CyberSource will not warn you about that, it just blocks the request. Also make sure the host is exactly apitest.cybersource.com and don’t add any extra headers because the sandbox silently rejects them.</P><P>Once I regenerated the Flex key pair and cleaned my config, the token call worked instantly. If you want to confirm fast, run the curl example from their docs. If curl succeeds, the issue is somewhere in the Node setup, not the sandbox.</P></DIV></DIV></DIV></DIV></DIV></DIV> Mon, 08 Dec 2025 11:09:37 GMT zackkev 2025-12-08T11:09:37Z https://community.developer.cybersource.com/t5/cybersource-APIs/Sandbox-tokenization-returning-403-Forbidden-using-Node-js-SDK/m-p/94675#M4011 <P>Hi, I’m working on integrating CyberSource in sandbox with the Node.js SDK and I’m consistently getting a <STRONG>403 Forbidden</STRONG> response when attempting to create a payment token.</P><P>Basic setup:</P><UL><LI><P>Sandbox environment</P></LI><LI><P>Node.js REST SDK</P></LI><LI><P>Tokenization endpoint per docs</P></LI></UL><P>I’ve verified credentials, merchant ID, and environment configuration. No useful error body is returned, so debugging is difficult.</P><P>Questions:</P><OL><LI><P>Is this a known issue with the sandbox environment?</P></LI><LI><P>Are there additional headers or configuration steps required for tokenization?</P></LI><LI><P>Any working Node.js example would be very helpful.</P></LI></OL><P>Thanks.</P> Sun, 07 Dec 2025 13:31:56 GMT https://community.developer.cybersource.com/t5/cybersource-APIs/Sandbox-tokenization-returning-403-Forbidden-using-Node-js-SDK/m-p/94675#M4011 samAndrew 2025-12-07T13:31:56Z https://community.developer.cybersource.com/t5/cybersource-APIs/Sandbox-tokenization-returning-403-Forbidden-using-Node-js-SDK/m-p/94683#M4012 <H6><SPAN>I hit the same 403 problem a while back and it drove me nuts because the sandbox gives you zero useful error info. What finally fixed it was checking the boring setup details instead of the code.</SPAN></H6><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><P>For me the sandbox only accepts Flex keys for tokenization. I was sending requests with my normal API keys and the sandbox just kept throwing 403 with no hint why. The other thing that tripped me up was the merchant ID not matching the key file I downloaded. CyberSource will not warn you about that, it just blocks the request. Also make sure the host is exactly apitest.cybersource.com and don’t add any extra headers because the sandbox silently rejects them.</P><P>Once I regenerated the Flex key pair and cleaned my config, the token call worked instantly. If you want to confirm fast, run the curl example from their docs. If curl succeeds, the issue is somewhere in the Node setup, not the sandbox.</P></DIV></DIV></DIV></DIV></DIV></DIV> Mon, 08 Dec 2025 11:09:37 GMT https://community.developer.cybersource.com/t5/cybersource-APIs/Sandbox-tokenization-returning-403-Forbidden-using-Node-js-SDK/m-p/94683#M4012 zackkev 2025-12-08T11:09:37Z https://community.developer.cybersource.com/t5/cybersource-APIs/Sandbox-tokenization-returning-403-Forbidden-using-Node-js-SDK/m-p/94693#M4017 <DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><P>A 403 in the sandbox usually means a problem with credentials or setup. Double-check your API keys, merchant ID, and environment configuration. Make sure all required headers are included. Sandbox accounts sometimes block requests if they’re not fully activated. Using the Node.js examples from CyberSource can help confirm your setup.</P></DIV></DIV></DIV></DIV><DIV class="">&nbsp;</DIV><DIV class=""><DIV class="">&nbsp;</DIV></DIV></DIV></DIV><DIV class="">&nbsp;</DIV> Tue, 09 Dec 2025 19:43:09 GMT https://community.developer.cybersource.com/t5/cybersource-APIs/Sandbox-tokenization-returning-403-Forbidden-using-Node-js-SDK/m-p/94693#M4017 aurden_amily 2025-12-09T19:43:09Z https://community.developer.cybersource.com/t5/cybersource-APIs/Sandbox-tokenization-returning-403-Forbidden-using-Node-js-SDK/m-p/94695#M4019 <P>It's always a good idea to double-check the documentation for any additional configuration steps specific to tokenization. If possible, sharing a working Node.js example could really help clarify the process and ensure smoother integration.</P> Wed, 10 Dec 2025 10:28:46 GMT https://community.developer.cybersource.com/t5/cybersource-APIs/Sandbox-tokenization-returning-403-Forbidden-using-Node-js-SDK/m-p/94695#M4019 diegolopez 2025-12-10T10:28:46Z