Strapi API calling error: {"statusCode":403,"error":"Forbidden","message":"Forbidden"}

Question

I am working with strapi and i am getting an error 403 Forbidden on calling an api e.g http://localhost:1337/data

I've called all the APIs and the result is same 403 error I've tried it with postman also.

In the api route.js file i have this:

 {
      "method": "GET",
      "path": "/data",
      "handler": "data.find",
      "config": {
        "policies": []
      }

Strapi server is localhost port:1337

A GET call from browser http://localhost:1337/data

I have a collection of data in mongodb it should give the json document but it is giving this Error:{"statusCode":403,"error":"Forbidden","message":"Forbidden"}

Answer 1

Go to http://localhost:1337/admin/settings/users-permissions/roles then to Public role and in the Application permission section check findone and find, it will cover needs of an API for frontend app.

Remember to not select more than you need, it will become publicly available for everyone, it may be like chmod 777, but worse.

Answer 2

Did you updated your security rules from the Users and Permissions plugin?

http://localhost:1337/admin/plugins/users-permissions/

Answer 3

2021 answer, any time you get a 403 error in Strapi, it is ALWAYS, ALWAYS something to do with permissions plugin. You need to think about what type of user you are at the moment, public or authenticated, or any other one you set up. Then you should check for which permissions you are giving access to under permissions, below is an example of my issues and how I resolved it.

I was having this issue with just getting authenticated from postman and I found the problem after a few hours of trial and error. For anyone that is having authentication error 403 when you are just trying to login. When you are trying to get authenticated while logging in, you are a public user at the moment, not an authenticated user. Therefor you need to allow a public user to make an authentication request. go to settings, under "Users and Permissions Plugin", "Roles", "Authenticated", "Permissions", "Users-Permissions", "Auth" and make sure that "callback" is checked! Then make your request from Postman and you should get a jwt back!

http://localhost:1337/admin/settings/users-permissions/roles/1

POST request to URL: http://localhost:1337/auth/local/

{
  "identifier": "[email protected]",
  "password": "strapi"
}

Answer 4

Make sure JWT_SECRET and ADMIN_JWT_SECRET exist and are different

This may not directly help the OP, but it did clear up my Strapi 403 error.

I was getting 403 "invalid credentials" errors when making authenticated requests to Strapi API, after successful login. The same requests worked fine anonymous users and API permissions were identical for all roles.

Solution: Ultimately the issue in my case was that, in my .env file, JWT_SECRET and ADMIN_JWT_SECRET were identical (I was lazy), and Strapi seemed to have an issue with that. And on a sidenote, on my remote host I neglected to include JWT_SECRET in my env.

1. Define explicit env variables for both
2. Make sure they are different strings

config/server.js

module.exports = ({ env }) => ({
    admin: {
        auth: {
            secret: env('ADMIN_JWT_SECRET')
        }
    }
})

extensions/user-permissions/config/jwt.js

module.exports = {
    jwtSecret: process.env.JWT_SECRET
}

.env

JWT_SECRET=someLongSecretPassphrase
ADMIN_JWT_SECRET=aDifferentLongSecretPassphrase

Discussion here: https://github.com/strapi/documentation/issues/14

Answer 5

As per the error message MongoDB has nothing to do with this. you are getting 403 this mean access issue with this URL. The user may not have access to http://localhost:1337/data. This is a service layer issue