Why am I getting 403 when trying to access a custom route?

System Information
  • Strapi Version: 4.15.5
  • Operating System: MacOS Sonoma 14.1.2 (23B92)
  • Database: sqlite (local)
  • Node Version: v20.9.0
  • NPM Version: 10.1.0
  • Yarn Version: N/A

I’ve observed that this problem is not new. However, I couldn’t really find a solution. Most other posts are old.

So, this is happening after I tried to transition an app, which was using an old strapi version, 3.6.11, to strapi 4.15.5.

I didn’t really have any custom route that I need to set up, but, in order to learn more about strapi, I was trying to set up one, as explained in this official tutorial.

I did exactly as explained in the tutorial, but I still get this error


when executing the following command on the terminal

curl http://localhost:1337/api/consultants/with-meta-date

I created the file custom-routes.js in src/api/consultant/routes/ with

module.exports = {
  routes: [
      method: "GET",
      path: "/consultants/with-meta-date",
      handler: "consultant.findCustomRoute",
      config: {
        auth: false

I’ve also enabled this route in the admin page, under Settings > USERS & PERMISSIONS PLUGIN > Roles > Public > Consultant > findCustomRoute.

I still get the error. Nothing works.

I’ve read that the problem may be the API token or maybe the order the way these routes are executed, but I don’t really know which token people are referring to, because I’m quite new to Strapi, and I also don’t know how I would need to reorder my routes, given that I only have a custom route, in a separate file, custom-routes.js, and I have the following default routes.js file

'use strict';

const {createCoreRouter} = require('@strapi/strapi').factories;

module.exports = createCoreRouter('api::consultant.consultant');

I can call curl http://localhost:1337/api/consultants and it works fine.

So, why is this problem happening? I don’t really want guesses. If this is supposed to happen because I’ve not done anything, I’d like to know the official solution (not “try this”). If this is a bug, then can you please point me to the Github issue? If this can be solved, how should I do it?

[Update] Upon further research I was pointed to this documentation article.

Explainer video here

Custom routes are loaded in “alphabetical order”

So you need to make sure that the custom route file that you added is loaded first.

You can accomplish this my renaming your rotes.

For your custom routes you can call your file 1-custom-routes.js and then rename the consultant.js to 2-custom-routes.js.

Now everything should work as expected, we can check by running the yarn strapi routes:list command to see all the routes.

We now see that our custom route is loaded first.

[Original Message] I left this for context.

Thanks for the feedback. I tested your example and you are correct. This should not be the expected behavior.

I will create a bug for it [update - not a bug]. So the reason why it is failing is due to the ordering of routes.

To fix this for the time being you can just define you route like so.

module.exports = {
  routes: [
      method: "GET",
      path: "/consultants/custom/with-meta-date",
      handler: "consultant.findCustomRoute",

I will create a bug report for this.

1 Like