Rest API Activity, 403 forbidden error for POST

I am getting 403, Forbidden error while trying to do a POST activity using Rest API Activity.
I have given header parameter as Content-Type - application/json and input parameters :
I am able to successfully do a Get method on the same but PUT is throwing error.


PUT method means means “insert, replace if already exists” . Kindly check if you are able to make PUT request to your API via some other channel say POSTMAN



Tested PUT and POST methods using SAP Gateway Service. Both are successful.
PUT method is also throwing 403 forbidden error in Assistedge.
I tried adding X-CSRF-Token also as header still getting same error.

Thanks and Regards,
Lakshmi Sankergi


The HTTP 403 Forbidden client error status response code indicates that the server understood the request but refuses to authorize it. The access is permanently forbidden and tied to the application logic, such as insufficient rights to a resource.

Check if the API requires authorization

Amit Anand

Hi Amit,

The API does require authorization.I am trying to do a GET method with X-CSRF-Token - Fetch as header for fetching the token. Can you help me to figure out how I can get the response header as output to read the token fetched.

Thanks and Regards,
Lakshmi Sankergi

Hi, I am facing a similar issue. Did you find any fix to this problem?

This error indicates that the server has determined that you are not allowed access to the thing you’ve requested, either on purpose or due to a misconfiguration . It’s probably because the site owner has limited access to it and you don’t have permission to view it. The vast majority of the time, there’s not much you can do to fix things on your (*client) end. There are four common causes for 403 Forbidden error (server side) . Here they are listed from most likely to least likely:

  • An empty website directory
  • No index page
  • Incorrect settings in the .htaccess file
  • Permission / Ownership error

If authentication credentials were provided in the request, the server considers them insufficient to grant access. The client SHOULD NOT automatically repeat the request with the same credentials. The client MAY repeat the request with new or different credentials. However, a request might be forbidden for reasons unrelated to the credentials.