403 Forbidden but not in Postman

I’m trying to call the Patreon API from my Cloudflare worker.

Here’s my code block:

		const url = `https://www.patreon.com/api/oauth2/v2/identity`;
		const responseTest = await fetch(url, {
			headers: {
				Authorization: `Bearer ${c.env.PATREON_CREATORS_ACCESS_TOKEN}`,
				'User-Agent': 'PostmanRuntime/7.39.0',
				Accept: '*/*',
				'Accept-Encoding': 'gzip, deflate, br',
				Connection: 'keep-alive',
			},
		});

I copied the headers over from Postman, where the request works. The above request works as well, but it requires this line in the headers 'User-Agent': 'PostmanRuntime/7.39.0' which feels wrong to me.

Without that entry in the headers, I receive 403 Forbidden error.

Can someone help me understand why this is necessary and what I could replace it with so that my app works? What am I doing wrong here?

1 Like

I am having the 403 issue since yesterday (Forum post) (before that, everything worked great for days), so I assume it is an issue on Patreon’s side (I contacted support some hours ago).

Setting the user agent to Postman works for me as well, so thank you for mentioning this workaround! :orange_heart:

1 Like

+1 to the thanks for the postman user-agent workaround, it resolved my error too.

@Keegan if you ever get as response as to why this is needed (or when it is no longer needed) please post!

2 Likes

Hey @Mike_Cross and @Duke I did a little more digging and found this: Cloudflare IM NOT A ROBOT blocking API?!? - #7 by Jackie_Bow

I noticed I was getting served a website response as well, so I’m assuming it is the same as this issue.

Turns out Patreon added a security feature to serve a robot check CAPTCHA to any request without the User-Agent header as it’s a signal that the request is coming from malware.

Works in Postman because Postman automatically generates the User-Agent header.

I searched the entire API documentation for the word “User-Agent” but nothing return. This should really be included in the docs!

I haven’t tested yet but I believe any value for the header should work. Something like “node” or “Cloudflare-worker” is probably fine but again need to test!

1 Like

Weird that it was working last week though and my server just start getting the 403 yesterday. The post I shared is from 2020. :man_shrugging:

1 Like

Nice find @Keegan. I can confirm that putting anything at all in the user agent string works.

Like you, I’m baffled as to why it’s only caused in issue in the last 24 hours though ¯_(ツ)_/¯