topic API Returns 403 for some but not all endpoints in cybersource APIs

API Returns 403 for some but not all endpoints

jnorman — Sun, 30 Apr 2023 06:19:06 GMT

Hi, I'm using a sandbox environment and I'm trying to generate a payment using an existing token, but am getting a 403 error. I tried the following things.

First, I have generated a REST Shared Secret key, and using both HTTP Signature as well as a p12 certificate, my calls to https://developer.cybersource.com/api-reference-assets/index.html#transaction-search_search-transactions_create-a-search-request seem to work either way. I've even been able to generate payments with a credit card.

I manually generated a subscription within the ebc2test admin UI. No issues... it gives me a valid customer number to work with, does the charges correctly, etc.

Now to the API endpoints I may want to use. I decided to start with a simple "Get a subscription" https://developer.cybersource.com/api-reference-assets/index.html#recurring-billing-subscriptions_subscriptions_get-a-subscription since nothing else seemed to be working. I changed the parameter correctly to have the correct subscription number i.e. https://apitest.cybersource.com/rbs/v1/subscriptions/6XXXXXXXXXXXXXXXXXXXX2 (obscured here) and I get the following response:

{
"submitTimeUtc": "2023-04-30T06:17:25.755Z",
"status": "FORBIDDEN",
"reason": "INVALID_DATA",
"message": "Authorization Failure!",
"details": []
}

What I don't get is why some endpoints seem to get a 403 and some don't with the exact same values for authorization. Any ideas?

Re: API Returns 403 for some but not all endpoints

jnorman — Tue, 09 May 2023 19:33:33 GMT

For anyone following this thread, I have emailed their developer support using this form https://developer.cybersource.com/support/contact-us.html and will post a follow-up presuming something useful comes back from them.

Re: API Returns 403 for some but not all endpoints

FCDev — Wed, 28 Jun 2023 17:21:51 GMT

Hey there, did you ever get a response from them? I am having the same issue right now. New key that will not work. This was the response I got:

{

"submitTimeUtc": "2023-06-28T16:57:28.902Z",

"status": "FORBIDDEN",

"reason": "INVALID_DATA",

"message": "Authorization Failure!"

}

I noticed it is specifically an authorization failure instead of an authentication failure. I did not see anywhere in the business center portal that would leave me to believe the key was a limited-rights key of any kind.

Re: API Returns 403 for some but not all endpoints

rajvpate — Mon, 03 Jul 2023 21:32:06 GMT

@jnorman : Were you able to create a Customer Token or a subscription :

"I manually generated a subscription within the ebc2test admin UI. No issues... it gives me a valid customer number to work with, does the charges correctly, etc. ?"

For Cybersource, the 2 entities are different. Customer token is created to identify a customer.

Subscription is a way to periodically charge a customer for recurring charges.

What is the use case you are trying to accomplish ? That should help us guide you in the correct direction.

Re: API Returns 403 for some but not all endpoints

jnorman — Tue, 08 Aug 2023 18:42:53 GMT

The solution turned out to be a combination of things.

First look at \Samples\Authentication\StandAloneHttpSignature.cs

Look at LegacyToken_id , uri to post pts/v2/payments

Re: API Returns 403 for some but not all endpoints

FCDev — Tue, 08 Aug 2023 18:49:17 GMT

\Samples\Authentication\StandAloneHttpSignature.cs is what I based my authentication on as well, and it worked on sandbox no issue

For me, the issue was because the development sandbox environment supported all operations and endpoints that I personally tested, but the live environment did NOT support certain endpoints for some reason. It just threw the FORBIDDEN. None of the documentation even stated that it was limited, or certain portions of Secure Acceptance was not going to be used (then why make it and all the docs neglect to mention this?).

I ended up going through the Simple Order system and the endpoints there supported my desired operations.

Re: API Returns 403 for some but not all endpoints

jnorman — Tue, 08 Aug 2023 18:51:33 GMT

That is very interesting to me. Thank you, and sorry it took so long to revisit.

Re: API Returns 403 for some but not all endpoints

jackwilliam78 — Thu, 26 Mar 2026 11:57:13 GMT

This looks like a permission or access issue on some endpoints. Maybe your API key or user role is not allowed to furni folks those requests. Check your auth settings and endpoint rules to fix the 403 error.