Reputation: 561
Strapi API calling error: {"statusCode":403,"error":"Forbidden","message":"Forbidden"}
I am working with strapi and i am getting an error 403 Forbidden on calling an api e.g http://localhost:1337/data
I've called all the APIs and the result is same 403 error I've tried it with postman also.
In the api route.js file i have this:
{
"method": "GET",
"path": "/data",
"handler": "data.find",
"config": {
"policies": []
}
Strapi server is localhost port:1337
A GET call from browser http://localhost:1337/data
I have a collection of data in mongodb it should give the json document
but it is giving this
Error:{"statusCode":403,"error":"Forbidden","message":"Forbidden"}
Upvotes: 56
Views: 64237
Answers (6)
Reputation: 1279
Open this URL: http://localhost:1337/admin/settings/users-permissions/roles. This is where you can manage permissions.
Find the Public role section. Inside it, you'll see Application permission. In this section, ensure that findone and find are checked. This setup is required for an API to work with a frontend application.
A word of caution: avoid enabling more permissions than necessary. When you enable permissions in the Public role, everyone can access them. It's similar to using chmod 777 on a Unix system, but possibly more harmful because it's available on the web. The best practice is to always limit permissions as much as possible.
Upvotes: 112
Reputation: 373
Strapi api returning 403, strapi has token authentication, you have to create a token at your content admin. after create token, try {Authorization :Bearer "your token". http://localhost:1337/api/your_contents. can reference here
Upvotes: 0
Reputation: 11364
Make sure JWT_SECRET and ADMIN_JWT_SECRET exist and are different
This may not directly help the OP, but it did clear up my Strapi 403 error.
I was getting 403 "invalid credentials" errors when making authenticated requests to Strapi API, after successful login. The same requests worked fine anonymous users and API permissions were identical for all roles.
Solution:
Ultimately the issue in my case was that, in my .env file, JWT_SECRET and ADMIN_JWT_SECRET were identical (I was lazy), and Strapi seemed to have an issue with that. And on a sidenote, on my remote host I neglected to include JWT_SECRET in my env.
- Define explicit env variables for both
- Make sure they are different strings
config/server.js
module.exports = ({ env }) => ({
admin: {
auth: {
secret: env('ADMIN_JWT_SECRET')
}
}
})
extensions/user-permissions/config/jwt.js
module.exports = {
jwtSecret: process.env.JWT_SECRET
}
.env
JWT_SECRET=someLongSecretPassphrase
ADMIN_JWT_SECRET=aDifferentLongSecretPassphrase
Discussion here: https://github.com/strapi/documentation/issues/14
Upvotes: 2
Reputation: 2014
2021 answer, any time you get a 403 error in Strapi, it is ALWAYS, ALWAYS something to do with permissions plugin. You need to think about what type of user you are at the moment, public or authenticated, or any other one you set up. Then you should check for which permissions you are giving access to under permissions, below is an example of my issues and how I resolved it.
I was having this issue with just getting authenticated from postman and I found the problem after a few hours of trial and error. For anyone that is having authentication error 403 when you are just trying to login. When you are trying to get authenticated while logging in, you are a public user at the moment, not an authenticated user. Therefor you need to allow a public user to make an authentication request. go to settings, under "Users and Permissions Plugin", "Roles", "Authenticated", "Permissions", "Users-Permissions", "Auth" and make sure that "callback" is checked! Then make your request from Postman and you should get a jwt back!
http://localhost:1337/admin/settings/users-permissions/roles/1
POST request to URL: http://localhost:1337/auth/local/
{
"identifier": "[email protected]",
"password": "strapi"
}
Upvotes: 18
Reputation: 1096
Did you updated your security rules from the Users and Permissions plugin?
http://localhost:1337/admin/plugins/users-permissions/
Upvotes: 41
Reputation: 1528
As per the error message MongoDB has nothing to do with this. you are getting 403 this mean access issue with this URL. The user may not have access to http://localhost:1337/data. This is a service layer issue
Upvotes: 0
Related Questions
- strapi FetchError: request to http://localhost:1337/api/events failed, reason: connect ECONNREFUSED ::1:1337
- Resolve Strapi.io Content Security Policy Error
- Strapi: Warning an error occurred while requesting the API
- strapi: Server wasn't able to start properly TypeError: Cannot convert undefined or null to object
- Strapi v4 throwing cors exception
- Strapi API cannot retrieve data
- Strapi register method not allowed 405 in v4 seems url is incorrect
- Receiving a 403 error when trying to post data from Strapi using 11ty
- Why am I getting {statusCode: 400, error: 'Bad Request', message: 'Malicious Path'} when fetching strapi API from my Next.js app
- Strapi Identifier or password invalid