Keep getting "403 forbidden" errors on REST API

Hello,

For a couple of weeks now I try to send data to Losant REST API from a Campbell SCI datalogger but I keep getting 403 errors. The authorization sequence is just right, I get the token and forward it with my POST request to send data and then I get Forbidden. See TCP/IP output below (random line removed from token data):

14:13:15.16 T 50 4F 53 54 20 2F 61 70 70 6C 69 63 61 74 69 6F  POST /applicatio
14:13:15.16 T 6E 73 2F 35 63 61 65 35 32 66 34 35 63 35 63 37  ns/5cae52f45c5c7
14:13:15.16 T 61 30 30 30 37 33 38 38 64 33 64 2F 64 65 76 69  a0007388d3d/devi
14:13:15.16 T 63 65 73 2F 35 63 61 66 39 39 38 36 34 62 30 38  ces/5caf99864b08
14:13:15.16 T 39 64 30 30 30 61 37 34 35 39 37 62 2F 73 74 61  9d000a74597b/sta
14:13:15.16 T 74 65 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65  te HTTP/1.1..Use
14:13:15.16 T 72 2D 41 67 65 6E 74 3A 20 43 52 33 31 30 2E 53  r-Agent: CR310.S
14:13:15.16 T 74 64 2E 30 37 2E 30 35 0D 0A 48 6F 73 74 3A 20  td.07.05..Host: 
14:13:15.16 T 61 70 69 2E 6C 6F 73 61 6E 74 2E 63 6F 6D 0D 0A  api.losant.com..
14:13:15.16 T 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20  Content-Length: 
14:13:15.16 T 33 33 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65  33..Content-Type
14:13:15.16 T 3A 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F 6A 73  : application/js
14:13:15.16 T 6F 6E 3B 41 63 63 65 70 74 3A 20 61 70 70 6C 69  on;Accept: appli
14:13:15.16 T 63 61 74 69 6F 6E 2F 6A 73 6F 6E 3B 41 75 74 68  cation/json;Auth
14:13:15.16 T 6F 72 69 7A 61 74 69 6F 6E 3A 20 42 65 61 72 65  orization: Beare
14:13:15.16 T 72 20 65 79 4A 68 62 47 63 69 4F 69 4A 49 55 7A  r eyJhbGciOiJIUz
14:13:15.16 T 49 31 4E 69 49 73 49 6E 52 35 63 43 49 36 49 6B  I1NiIsInR5cCI6Ik
14:13:15.16 T 70 58 56 43 4A 39 2E 65 79 4A 7A 64 57 49 69 4F  pXVCJ9.eyJzdWIiO
14:13:15.16 T 69 49 31 59 32 46 6D 4F 54 6B 34 4E 6A 52 69 4D  iI1Y2FmOTk4NjRiM
14:13:15.16 T 44 67 35 5A 44 41 77 4D 47 45 33 4E 44 55 35 4E  Dg5ZDAwMGE3NDU5N
14:13:15.16 T 32 49 69 4C 43 4A 7A 64 57 4A 30 65 58 42 6C 49  2IiLCJzdWJ0eXBlI
14:13:15.16 T 6A 6F 69 5A 47 56 32 61 57 4E 6C 49 69 77 69 59  joiZGV2aWNlIiwiY
14:13:15.16 T 58 42 77 49 6A 6F 69 4E 57 4E 68 5A 54 55 79 5A  XBwIjoiNWNhZTUyZ
14:13:15.16 T 6A 51 31 59 7A 56 6A 4E 32 45 77 4D 44 41 33 4D  jQ1YzVjN2EwMDA3M
14:13:15.16 T 7A 67 34 5A 44 4E 6B 49 69 77 69 61 32 56 35 49  zg4ZDNkIiwia2V5I
14:13:15.16 T 6A 6F 69 4E 57 4E 69 5A 6A 56 6D 5A 6A 5A 6D 4D  joiNWNiZjVmZjZmM
---------------------------LINE REMOVED-----------------------------------------------------------------
14:13:15.16 T 57 49 78 49 69 77 69 5A 47 56 32 61 57 4E 6C 51  WIxIiwiZGV2aWNlQ
14:13:15.16 T 32 78 68 63 33 4D 69 4F 69 4A 6E 59 58 52 6C 64  2xhc3MiOiJnYXRld
14:13:15.16 T 32 46 35 49 69 77 69 63 32 4E 76 63 47 55 69 4F  2F5Iiwic2NvcGUiO
14:13:15.16 T 6C 73 69 59 57 78 73 4C 6B 52 6C 64 6D 6C 6A     lsiYWxsLkRldmlj
14:13:15.17 T 5A 53 4A 64 4C 43 4A 70 59 58 51 69 4F 6A 45 31  ZSJdLCJpYXQiOjE1
14:13:15.17 T 4E 54 59 77 4E 44 59 33 4F 44 41 73 49 6D 6C 7A  NTYwNDY3ODAsImlz
14:13:15.17 T 63 79 49 36 49 6D 46 77 61 53 35 6E 5A 58 52 7A  cyI6ImFwaS5nZXRz
14:13:15.17 T 64 48 4A 31 59 33 52 31 63 6D 55 75 61 57 38 69  dHJ1Y3R1cmUuaW8i
14:13:15.17 T 66 51 2E 44 56 34 6D 63 58 49 54 47 6D 51 4B 35  fQ.DV4mcXITGmQK5
14:13:15.17 T 78 59 69 48 4C 5F 32 6E 56 65 38 4B 36 6D 6C 4E  xYiHL_2nVe8K6mlN
14:13:15.17 T 44 54 70 76 74 63 4B 51 67 34 62 49 50 6B 0D 0A  DTpvtcKQg4bIPk..
14:13:15.17 T 0D 0A 7B 20 22 64 61 74 61 22 3A 20 7B 20 22 74  ..{ "data": { "t
14:13:15.17 T 65 73 74 76 61 6C 75 65 22 3A 20 36 38 2E 32 20  estvalue": 68.2 
14:13:15.17 T 7D 20 7D                                         } }
14:13:15.35 R 48 54 54 50 2F 31 2E 31 20 34 30 33 20 46 6F 72  HTTP/1.1 403 For
14:13:15.35 R 62 69 64 64 65 6E 0D 0A 44 61 74 65 3A 20 54 75  bidden..Date: Tu
14:13:15.35 R 65 2C 20 32 33 20 41 70 72 20 32 30 31 39 20 31  e, 23 Apr 2019 1
14:13:15.35 R 39 3A 31 33 3A 31 35 20 47 4D 54 0D 0A 43 6F 6E  9:13:15 GMT..Con
14:13:15.35 R 74 65 6E 74 2D 54 79 70 65 3A 20 61 70 70 6C 69  tent-Type: appli
14:13:15.35 R 63 61 74 69 6F 6E 2F 6A 73 6F 6E 0D 0A 43 6F 6E  cation/json..Con
14:13:15.35 R 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 35 32 0D  tent-Length: 52.
14:13:15.35 R 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 6B 65 65  .Connection: kee
14:13:15.35 R 70 2D 61 6C 69 76 65 0D 0A 50 72 61 67 6D 61 3A  p-alive..Pragma:
14:13:15.35 R 20 6E 6F 2D 63 61 63 68 65 0D 0A 43 61 63 68 65   no-cache..Cache
14:13:15.35 R 2D 43 6F 6E 74 72 6F 6C 3A 20 6E 6F 2D 63 61 63  -Control: no-cac
14:13:15.35 R 68 65 2C 20 6E 6F 2D 73 74 6F 72 65 2C 20 6D 75  he, no-store, mu
14:13:15.35 R 73 74 2D 72 65 76 61 6C 69 64 61 74 65 0D 0A 58  st-revalidate..X
14:13:15.35 R 2D 43 6F 6E 74 65 6E 74 2D 54 79 70 65 2D 4F 70  -Content-Type-Op
14:13:15.35 R 74 69 6F 6E 73 3A 20 6E 6F 73 6E 69 66 66 0D 0A  tions: nosniff..
14:13:15.35 R 58 2D 58 53 53 2D 50 72 6F 74 65 63 74 69 6F 6E  X-XSS-Protection
14:13:15.35 R 3A 20 31 3B 20 6D 6F 64 65 3D 62 6C 6F 63 6B 0D  : 1; mode=block.
14:13:15.35 R 0A 43 6F 6E 74 65 6E 74 2D 53 65 63 75 72 69 74  .Content-Securit
14:13:15.35 R 79 2D 50 6F 6C 69 63 79 3A 20 64 65 66 61 75 6C  y-Policy: defaul
14:13:15.35 R 74 2D 73 72 63 20 27 6E 6F 6E 65 27 3B 20 73 74  t-src 'none'; st
14:13:15.35 R 79 6C 65 2D 73 72 63 20 27 75 6E 73 61 66 65 2D  yle-src 'unsafe-
14:13:15.35 R 69 6E 6C 69 6E 65 27 0D 0A 41 63 63 65 73 73 2D  inline'..Access-
14:13:15.35 R 43 6F 6E 74 72 6F 6C 2D 41 6C 6C 6F 77 2D 4F 72  Control-Allow-Or
14:13:15.35 R 69 67 69 6E 3A 20 2A 0D 0A 0D 0A 7B 22 74 79 70  igin: *....{"typ
14:13:15.35 R 65 22 3A 22 46 6F 72 62 69 64 64 65 6E 22 2C 22  e":"Forbidden","
14:13:15.35 R 6D 65 73 73 61 67 65 22 3A 22 41 63 63 65 73 73  message":"Access
14:13:15.35 R 20 69 73 20 66 6F 72 62 69 64 64 65 6E 22 7D      is forbidden"}

Here’s some infos:

AppID: 5cae52f45c5c7a0007388d3d
DeviceID: 5caf99864b089d000a74597b
URL used to post: http://api.losant.com/

Thanks

Just as I gather the courage to sign up and post my question here, I found the answer.

I read the wikipedia page on standard HTTP headers and found out that they have to be separated by a semi-colon and \CR \LF. However, with the Losant REST API, only the field “Authorization” need to be appended next to \CR and \LF. Here’s what it look like in Campbell SCI’s CR Basic Language:

http_header = "Content-Type: application/json;Accept: application/json;" + CHR(13) + CHR(10)+ "Authorization: Bearer " + Token + CHR(13) + CHR(10)

This works, but the following does not:

http_header = "Content-Type: application/json;Accept: application/json;Authorization: Bearer " + Token + CHR(13) + CHR(10)

I wonder why the other header fields aren’t as strict as this one, I found out a mere space character before the “Autorization” label leads to 403s as well. But the two other labels aren’t as picky…

Hope this will help.

Hi @Simon-Pierre_Gagnon,

Welcome to the Losant Forums! Just a few things to get us debugging. We see 403 errors when either no authorization token is provided, or the authorization token does not have the proper scope. To debug this, I would recommend checking that your permissions for the Application API Token are correctly scoped. I would also recommend checking out this forum post which could provide some helpful information.

One additional way to debug is through Postman. Postman is a tool that can be used for POST requests, and will format the request for you, you just have to fill out the parameters. Here is an example of Postman:

Screen Shot 2019-04-23 at 4.30.33 PM.png1960×746 76.5 KB

Let me know what comes from this debugging!
Thanks,
Julia

Hi @Simon-Pierre_Gagnon,

Glad you were able to locate the answer, and thanks so much for sharing it!

Have a great day,
Julia