All of my fetch requests for content work, but my post request for user auth returns 403

I have a test user assigned to the Public role. The user is confirmed, and not blocked. The Public role has all the “auth” permissions in the User permissions plugin, except for changePassword.

My request:

const auth = await fetch(url, {
method: ‘POST’,
headers: {
‘Authorization’: Bearer ${apiKey},
‘Content-Type’: ‘application/json’
body: JSON.stringify({
identifier: email,
password: password
}).then(response => {
console.log(‘Status:’, response.status);
console.log(‘Status Text:’, response.statusText);
return response.json();
}).then(data => {
console.log(‘Response Data:’, data);
}).catch(error => {
console.error(‘Error:’, error);

And in my server console:

2024-06-12 10:42:28 Status: 403
2024-06-12 10:42:28 Status Text: Forbidden
2024-06-12 10:42:28 Response Data: {
2024-06-12 10:42:28 data: null,
2024-06-12 10:42:28 error: {
2024-06-12 10:42:28 status: 403,
2024-06-12 10:42:28 name: ‘ForbiddenError’,
2024-06-12 10:42:28 message: ‘Forbidden’,
2024-06-12 10:42:28 details: {}
2024-06-12 10:42:28 }
2024-06-12 10:42:28 }

What could be causing the 403? Again, all my GET requests for page content work fine.

This topic has been created from a Discord post (1250460658919542785) to give it more visibility.
It will be on Read-Only mode here.
Join the conversation on Discord

the URL variable above is set to:


I figured it out so I’m posting here for future people:

The API token I was passing for the auth request was my read-only API key I was using for grabbing content. If you are passing an API key you need it to be full-access for auth requests to work.

If you are are sending an Auth POST request it shouldn’t have an authorization header

If authorization header exists it’s no longer a “public” request for users-permissions