Existing API Endpoint returning 403 Forbidden

I created my API in the Advanced API builder as well as within the Catalogue. My API has a swagger definition and all endpoints are accounted for within my Swagger documentation. I checked the portal documentation as well as the API Endpoint Designer to make sure the endpoint returning forbidden exists and is whitelisted; it does exist and is whitelisted. I am at a loss as to what else I can do to resolve my issue. I am sure this an issue from being new with Tyk. Are there reserved endpoint words I cannot use?

I will say the rest of my API is working great within my application using Tyk as the gateway.

It could just not be matching your API paths correctly, I assume your targets in the API designer all have a slash in front of them, try removing that.

I did this, but it did not work. I copied the entire content of my swagger.json output from my API into sublime and edited all endpoints to have no forwardslash at the beginning.

To test, I am using the Chrome extension “Advanced Rest Client”. I am still seeing the same response.

{“error”: “Requested endpoint is forbidden”}

You need to edit the endpoints in the API designer, not in your portal. Try just editing them manually instead of messing with the swagger file. Then you can just test a single endpoint.

1 Like

I have updated the API Endpoint within the API designer to have no forward slash on the specific endpoint I was having trouble with. It is now properly responding.

Thank you for helping!

Is there a reason it would not be consistent? I am getting inconsistent results, with every few requests returning 403 Forbidden.

The white lists are extremely strict. So if the requests are different from what is defined they will be rejected. If the white lists need to handle variability, you will need to use curly braces to define them:


What are the differences between the requests being made?

The request I am working on is


The headers that are necessary are the only thing I am adding to the request.

What do the logs say?

I did an export of the API and rebuilt it. I had some extraneous endpoints to clean up anyway. Since doing this, everything seems to be working as expected.

1 Like

I am using the Hybrid method for my API Gateway. I updated my API and imported my API documentation to my current version. I again had the issue of an endpoint claiming it was forbidden. After waiting some time and clicking update on the API (not updating anything though) it eventually worked again.

Just wanted to mention it. Was this due to a delay in the Proxy?

Potentially - your scenario is very difficult to replicate. I would suggest updating your hybrid container, we’ve made many changes recently to improve it.

Is there any way for me to stay up-to-date with the changes being made to the hybrid container? Not the software updating itself, but notifications, etc?

Hmmm, not at the moment I’m afraid. You could star it no Docker hub:


It tells you when it was last updated.

Hi, I know this is an old topic, but I have a similar problem:

I have a POST method that fails the call:

curl -H “Content-Type: application/json” -X POST -d ‘{“username”:“MyUser”, “password”:“MyPassword”}’ http://AD-UAT-02:8080/mvapi/users/login

with the error:
“error”: “Requested endpoint is forbidden”

However if I call it as a get with parameters:

curl “http://AD-UAT-02:8080/mvapi/users/login/?username=MyUser&password=MyPassword

it responds properly.

In the API designer it shows as POST, /users/login and Whitelist

Removing the “Whitelist” doesn’t solve the problem (I’ve tried).

Can anyone help?


What worked for me was updating the API several times. Eventually, the API Endpoint updates stuck and it worked.

It seems weird that it works for a GET, but not for a POST, so it is working, only not working properly.
Do you know what (configuration) could allow the GET, but reject the POST? (even when it is configured as POST and not a GET)?

Have you tried removing the whitelist?

Is there a list of allowed endpoints in the prolicy for the token?