Status 400

Hi All,

Just got a tonne of user reports that my Application that’s been deployed for 1year+ can’t login to Patreon with the below post, it’s failing for me too. Anyone else having this issue?

{Method: GET, RequestUri: '', Version: 1.1, Content: <null>, Headers:
  Accept: application/json
  Authorization: Bearer {BEARERTOKEN}
{StatusCode: 400, ReasonPhrase: 'Bad Request', Version: 1.1, Content: System.Net.Http.HttpConnectionResponseContent, Headers:
  Date: Wed, 08 May 2024 19:09:50 GMT
  Connection: keep-alive
  Set-Cookie: __cf_bm={COOKIE}; path=/; expires=Wed, 08-May-24 19:39:50 GMT;; HttpOnly; Secure
  Report-To: {"endpoints":[{"url":"https:\/\/\/report\/v4?s={ENDPOINTS}}],"group":"cf-nel","max_age":604800}
  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
  Strict-Transport-Security: max-age=2592000
  X-Content-Type-Options: nosniff
  Server: cloudflare
  CF-RAY: 880bbf151c08570c-DUB
  Content-Type: application/json
  Content-Length: 2

I think though if cloudflare is eating it, it’s not even hitting the API?

My post that’s been working for a year+ that stopped working today:

var PostURL2 = "[member]=patron_status,currently_entitled_amount_cents,full_name,email/";

var client = new HttpClient();
    .Add(new MediaTypeWithQualityHeaderValue("application/json"));
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", AccessToken);

var response2 = await client.GetAsync(PostURL2);
var responseContent2 = await response2.Content.ReadAsStringAsync();
if (response2.IsSuccessStatusCode)


Same here, our SSO integration worked for 6 years up to now, ever since the last time Patreon pulled the rug without any warning. It would be really great to have any more feedback besides 400 and {}.

1 Like

@Zorthos I went through their PHP SDK on GitHub and noticed they add a User-Agent header to every request. Adding a User-Agent header actually fixed this for me. Could you try it?

Our headers look like this now:

Accept: application/json
Authorization: Bearer ###########
User-Agent: (Linux 5.15.0-60-generic)

In hindsight that’s just common courtesy and I should’ve known better…

1 Like

Adding User-Agent solved it for me as well.

1 Like

Amazing catch, adding User-Agent fixes it for me too. Thank you!
Similar to when in November 23 they suddenly stopped accepting requests which missed “www.”, having to do app updates late at night that block Patrons from getting their rewards is the absolute worst.

1 Like

It sure raises questions but it’s tons better than trying to deal with Dutch banks as a Ukrainian refugee who draws pp for a living. I’m just happy I was able to find the issue before it caused too much damage and hopefully help a few others tonight :heart:

Adding user agent fixed it for me. Nice work finding that.

Luckily one of my patrons reported the problem and I checked here. My stuff has been working solidly for years and I could have easily never noticed it. If anyone from patreon reads this (doubt it), realize that screw-ups like this can cost thousands of dollars per user.

1 Like

Boggles my mind. Putting your API behind WAF may not seem like a big deal but honestly every time I’ve overseen such a transition we kept a tight schedule and informed our users, because it never ever goes completely without a hitch.

In this case I’d completely agree that API clients should by all means provide a User-Agent header, but if you’re going to refuse requests based on that it should be in the docs.

That said, does anyone feel like updating the docs? There’s a GitHub repo for it which accepts PRs.

Malicious sources started making an exorbitant amount of calls to the api so we had to implement some measures, sorry for the disruption. Yes, adding a user agent string to your calls is necessary now. Api docs will be updated today.

With this opportunity, do add a descriptive user agent to your client like ‘MyCampaign - SSO’ or ‘MyCampaign - Sync’ etc. This would help identify your client and campaign and make it faster for us to investigate issues when you need support.

(This change has been temporarily reverted so that you will have time to update your integrations)