HTTP 403 forbidden when accessing API endpoints

This may be caused by crumb, a CSRF mitigation tool.

We're using crumb, which helps diminish CSRF attacks. You'll get a new CSRF token (via cookies) on each response from the server. The front-end code looks for this token and passes it back to the server via the X-CSRF-Token header with each request made to the server.

This does make it harder to interact with the API manually, or via apps like Postman since you have to do that dance of finding the token from the cookie header and passing it token back via the X-CSRF-Token header with your next request.

Possible solutions:

• You could disable crumb by removing it from the manifest.js file.
• If you only want to disabled CSRF protection during development you could modify manifest.js to only include crumb when NODE_ENV=production.
• You can see if a different configuration would work better for you; see the crumb docs.

Using Postman

To use Postman, take the following steps:

1. Install Postman and Postman Interceptor

2. Sign into your local Aqua site in Chrome

3. Add your route to the "Enter Request URL" field in Postman

4. Add a header by clicking "Headers" with a key named "Cookie" and a value of the "sid-aqua=XXX;crumb=XXX" in the value field. You can copy the cookie in your Chrome browser or by making an initial request and clicking the "Cookie" tab.

5. Send your request and you should get an authenticated reply!

That's it

We hope this was helpful. If you have questions or think this page should be expanded please contribute by opening an issue or updating this page.