Reddit API returns HTTP 403

Asked 2/2, 2017 at 17:49 Answered 25/2, 2023 at 3:54

Following the OAuth2 login flow described at https://github.com/reddit/reddit/wiki/OAuth2 I got to the point where POST-ing to https://www.reddit.com/api/v1/access_token returns something like this:

{'token_type': 'bearer', 'expires_in': 3600, 'scope': 'identity', 'access_token': '*****'}

Then I do

GET  https://oauth.reddit.com/api/v1/me

With this header:

Authorization: bearer *****

The response is HTTP 403 Unauthorized. But why? It is clear that the access token has 'identity' scope. It is also documented that the /api/v1/me call requires this scope only. (See https://www.reddit.com/dev/api/oauth#GET_api_v1_me )

So why am I getting http 403?

Ferino answered 2/2, 2017 at 17:49 Comment(5)

The format of the header is important Authorization: Bearer <Token> – Snowball 2/2, 2017 at 17:54

Okay, sorry. Actually I have set it with a dict in Python. It does contain the colon. I'll fix the queston. BTW the docs specify it with all small letters ("bearer" instead of "Bearer"), see at the end of github.com/reddit/reddit/wiki/… – Ferino 2/2, 2017 at 18:20

Hmm now it started to return 403 forbidden. Maybe it was returning that before too? I'm not sure. – Ferino 2/2, 2017 at 18:26

@Ferino Have you solved this ? – Apiary 18/4, 2017 at 8:20

Yes, I have. But cannot tell what was wrong. I have changed many things in my code and eventually it started to work. – Ferino 18/4, 2017 at 14:31

I was experiencing the exact same issue as you described. In my case, I resolved the 403 by adding a faux user agent string in the request headers.

In my case, using HttpClient of C#, this proceeds like so:

using (var client = new HttpClient())
{
    client.DefaultRequestHeaders.Add("User-Agent", "MockClient/0.1 by Me");
    ...
}

Shane answered 23/1, 2018 at 21:45 Comment(2)

This was the solution to my problem! Had been working with Postman but not my own script, I suppose because postman automatically fills in the User-Agent header. – Portecochere 25/7, 2018 at 1:26

Just here to say the user agent string is crucial. I was using a string as recommended by reddit "os:app:version (by username)" but was still getting rejected. It seems for some reason my agent string was blacklisted despite having just begun using it. By changing it slightly where the app name was app-name-with-space-sparators+" agent" suffix it got past the 403 and started working. – Clad 6/11, 2019 at 17:16

In my case this was because of a redirect.

Calling a non-oauth endpoint in my application (like https://www.reddit.com/r/learnpython/about.json) with the Authorization header would fail with code 403. But calling https://reddit.com/r/learnpython/about.json (without www) with the Authorization header succeeded. However both endpoints worked when I tried via Postman.

The reason for this is that reddit.com would redirect to www.reddit.com, which results in the Authorization header being dropped by Postman for the second request. In my application code, I was including the header with both requests, which explains the different behavior.

Solution: don't include the Authorization header when calling non-oauth endpoints.

Scalise answered 25/2, 2023 at 3:54 Comment(0)

Recommended topics

Hot tags