API endpoint calls suddenly started returning 403 from Cloudflare

Hi there, as of a few hours ago, our API calls against Patreon’s API suddenly started failing against all endpoints with the following response body (response code 403):

<!DOCTYPE html>\n<!--[if lt IE 7]> 
<html class="no-js ie6 oldie" lang="en-US">
   ->\n<!--[if IE 7]>    
   <html class="no-js ie7 oldie" lang="en-US">
      <![endif]-->\n<!--[if IE 8]>    
      <html class="no
         -js ie8 oldie" lang="en-US">
         <![endif]-->\n<!--[if gt IE 8]><!--> 
         <html class="no-js" lang="en-US">
               <title>Attention Required! | Cloudflare</title>
               <meta charset="UTF-8" />
               <meta http-equiv="Content
                  -Type" content="text/html; charset=UTF-8" />
               <meta http-equiv="X-UA-Compatible" content="IE=Edge" />
               <meta name
                  ="robots" content="noindex, nofollow" />
               <meta name="viewport" content="width=device-width,initial-scale=1" />
               <link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" />
               \n<!--[if lt IE 9]>
               <link rel="st
                  ylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" />
               \n\n\n<!--[if gte IE 10]><!-->\n<script>\n  if (!navigator.cookieEnabled) {\n    window.addEventLis
                  tener('DOMContentLoaded', function () {\n      var cookieEl = document.getElementById('cookie-alert');\n      coo
                  kieEl.style.display = 'block';\n    })\n  }\n
               <div id="cf-wrap
                  <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies"
                     >Please enable cookies.</div>
                  <div id="cf-error-details" class="cf-error-details-wrapper">
                     <div class
                        ="cf-wrapper cf-header cf-error-overview">
                        <h1 data-translate="block_headline">Sorry, you have been bloc
                        <h2 class="cf-subheadline">
                           <span data-translate="unable_to_access">
                              You are unable to access</sp
                              an> patreon.com
                     <!-- /.header -->\n\n      <div class="cf-section cf-highlight">\n        <div 
                        class="cf-wrapper">\n          <div class="cf-screenshot-container cf-screenshot-full">\n            \n          
                     <span class="cf-no-screenshot error"></span>\n            \n          </div>\n        </div>\n      </div><!-
                     - /.captcha-container -->\n\n      <div class="cf-section cf-wrapper">\n        <div class="cf-columns two">\n   
                     <div class="cf-column">\n            <h2 data-translate="blocked_why_headline">Why have I been blocked?</h
                     2>\n\n            <p data-translate="blocked_why_detail">This website is using a security service to protect itse
                     lf from online attacks. The action you just performed triggered the security solution. There are several actions 
                     that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.</p>
                     \n          </div>\n\n          <div class="cf-column">\n            <h2 data-translate="blocked_resolve_headline
                        ">What can I do to resolve this?</h2>\n\n            <p data-translate="blocked_resolve_detail">You can email the
                     site owner to let them know you were blocked. Please include what you were doing when this page came up and the 
                     Cloudflare Ray ID found at the bottom of this page.</p>\n          </div>\n        </div>\n      </div><!-- /.sec
                        tion -->\n\n      <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-cente
                        r sm:text-left border-solid border-0 border-t border-gray-300">\n  <p class="text-13">\n    <span class="cf-foote
                        r-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">89d57b40ca0f9714</strong></span>\n    <
                     span class="cf-footer-separator sm:hidden">&bull;</span>\n    <span id="cf-footer-item-ip" class="cf-footer-item 
                        hidden sm:block sm:mb-1">\n      Your IP:\n      <button type="button" id="cf-footer-ip-reveal" class="cf-footer-
                        ip-reveal-btn">Click to reveal</button>\n      <span class="hidden" id="cf-footer-ip">2a03:b0c0:2:d0::e28:f001</s
                     pan>\n      <span class="cf-footer-separator sm:hidden">&bull;</span>\n    </span>\n    <span class="cf-footer-it
                        em sm:block sm:mb-1"><span>Performance &amp; security by</span> <a rel="noopener noreferrer" href="https://www.cl
                        oudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudflare</a></span>\n    \n  </p>\n  <script>(f
                        unction(){function d(){var b=a.getElementById("cf-footer-item-ip"),c=a.getElementById("cf-footer-ip-reveal");b&&"
                        classList"in b&&(b.classList.remove("hidden"),c.addEventListener("click",function(){c.classList.add("hidden");a.g
                        etElementById("cf-footer-ip").classList.remove("hidden")}))}var a=document;document.addEventListener&&a.addEventL
                     </script>\n</div><!-- /.error-footer -->\n\n\n    
                  <!-- /#cf-error-details
               <!-- /#cf-wrapper -->\n\n  <script>\n  window._cf_translation = {};\n  \n  \n</script>\n\n
         \n, referer: https://www.patreon.com/

This seems to be related to 403 Forbidden but not in Postman - #2 by Duke and Suddenly 403 for campaigns/members - #5 by TimothyLuke, but the workaround of setting the user agent to postman isn’t working for us.

We’re not sure what to do here. Was there a change recently to the authentication process that we need to make on our end?


1 Like