cancel
Showing results for 
Search instead for 
Did you mean: 

API Returns 403 for some but not all endpoints

Hi, I'm using a sandbox environment and I'm trying to generate a payment using an existing token, but am getting a 403 error.  I tried the following things.

First, I have generated a REST Shared Secret key, and using both HTTP Signature as well as a p12 certificate, my calls to https://developer.cybersource.com/api-reference-assets/index.html#transaction-search_search-transact... seem to work either way.  I've even been able to generate payments with a credit card.

I manually generated a subscription within the ebc2test admin UI.  No issues... it gives me a valid customer number to work with, does the charges correctly, etc.

Now to the API endpoints I may want to use.  I decided to start with a simple "Get a subscription" https://developer.cybersource.com/api-reference-assets/index.html#recurring-billing-subscriptions_su... since nothing else seemed to be working.  I changed the parameter correctly to have the correct subscription number i.e. https://apitest.cybersource.com/rbs/v1/subscriptions/6XXXXXXXXXXXXXXXXXXXX2 (obscured here) and I get the following response:

{
"submitTimeUtc": "2023-04-30T06:17:25.755Z",
"status": "FORBIDDEN",
"reason": "INVALID_DATA",
"message": "Authorization Failure!",
"details": []
}

What I don't get is why some endpoints seem to get a 403 and some don't with the exact same values for authorization.  Any ideas?

 

 

jnorman
Member
3 ACCEPTED SOLUTIONS

Accepted Solutions

Hey there, did you ever get a response from them? I am having the same issue right now. New key that will not work. This was the response I got:

{
  "submitTimeUtc": "2023-06-28T16:57:28.902Z",
  "status": "FORBIDDEN",
  "reason": "INVALID_DATA",
  "message": "Authorization Failure!"
}
 
I noticed it is specifically an authorization failure instead of an authentication failure. I did not see anywhere in the business center portal that would leave me to believe the key was a limited-rights key of any kind.

View solution in original post

FCDev
Member

The solution turned out to be a combination of things.

First look at \Samples\Authentication\StandAloneHttpSignature.cs

 Look at LegacyToken_id , uri to post pts/v2/payments

 

View solution in original post

\Samples\Authentication\StandAloneHttpSignature.cs is what I based my authentication on as well, and it worked on sandbox no issue

For me, the issue was because the development sandbox environment supported all operations and endpoints that I personally tested, but the live environment did NOT support certain endpoints for some reason. It just threw the FORBIDDEN. None of the documentation even stated that it was limited, or certain portions of Secure Acceptance was not going to be used (then why make it and all the docs neglect to mention this?).

I ended up going through the Simple Order system and the endpoints there supported my desired operations.

View solution in original post

FCDev
Member
6 REPLIES 6

For anyone following this thread, I have emailed their developer support using this form https://developer.cybersource.com/support/contact-us.html and will post a follow-up presuming something useful comes back from them.

jnorman
Member

Hey there, did you ever get a response from them? I am having the same issue right now. New key that will not work. This was the response I got:

{
  "submitTimeUtc": "2023-06-28T16:57:28.902Z",
  "status": "FORBIDDEN",
  "reason": "INVALID_DATA",
  "message": "Authorization Failure!"
}
 
I noticed it is specifically an authorization failure instead of an authentication failure. I did not see anywhere in the business center portal that would leave me to believe the key was a limited-rights key of any kind.
FCDev
Member

@jnorman : Were you able to create a Customer Token or a subscription :

"I manually generated a subscription within the ebc2test admin UI. No issues... it gives me a valid customer number to work with, does the charges correctly, etc. ?"

For Cybersource, the 2 entities are different. Customer token is created to identify a customer. 

Subscription is a way to periodically charge a customer for recurring charges.

What is the use case you are trying to accomplish ? That should help us guide you in the correct direction.

rajvpate
Administrator Administrator
Administrator

The solution turned out to be a combination of things.

First look at \Samples\Authentication\StandAloneHttpSignature.cs

 Look at LegacyToken_id , uri to post pts/v2/payments

 

\Samples\Authentication\StandAloneHttpSignature.cs is what I based my authentication on as well, and it worked on sandbox no issue

For me, the issue was because the development sandbox environment supported all operations and endpoints that I personally tested, but the live environment did NOT support certain endpoints for some reason. It just threw the FORBIDDEN. None of the documentation even stated that it was limited, or certain portions of Secure Acceptance was not going to be used (then why make it and all the docs neglect to mention this?).

I ended up going through the Simple Order system and the endpoints there supported my desired operations.

FCDev
Member

That is very interesting to me.  Thank you, and sorry it took so long to revisit.