Openapi GET Backups always returns 403 forbidden

derek.delizo · May 27, 2026, 10:00pm

I am messing around with the Ignition api and am trying to download a gateway backup using curl. I created an API key in my ignition gateway and I am exporting the key in my shell using export API_TOKEN. When I make my curl request to the gateway, I get a 403 forbidden response. I don't understand why or how to fix it. I tried creating a new security level under authenticated and that didn't work. I can't assign my API key to the Admin security level. What do I need to do?

Here is my curl command:

curl -v \
-H "X-Ignition-API-Token: $API_TOKEN" \
-o gateway-backup.gwbk \
"http://$GW_ADDR:8088/data/api/v1/backup"

Marcus_Sysum · May 27, 2026, 10:43pm

Did you deselect the check box when creating the api token.

pturmel · May 27, 2026, 10:46pm

Oy! Crazy-talk!

bmusson · May 27, 2026, 11:40pm

Eh.

You should absolutely be using TLS.
You may still need to turn this checkbox off if you're terminating TLS at a reverse proxy.

cmallonee · May 28, 2026, 3:06pm

We're limited in how much assistance we can be without knowing how you've configured the API Key, Security Levels, and Read Permission settings within your security-properties resource (via the Platform > Security > General Settings page).

Verify:

Some Security Level exists which you can use for this API Key. Ideally, this Security Level would be unused by anything else.
Your security settings have the security level from step 1 checked for Gateway Read Permissions, and you've saved that setting.
The API Key itself must have the Security Level from 1 checked and saved
The token you are using is correct (may warrant making a new token to be sure).

cmallonee · May 28, 2026, 3:16pm

Also, as an alternative to un-checking the secure connections setting for the key, have you tried using that token against the HTTPS port configured for your Gateway? If the "Require secure connection" checkbox is checked, the token will only work against requests coming through the HTTPS port. Verify SSL/TLS is enabled, then hit that HTTPS port and see if you get the desired result.

cmallonee · May 28, 2026, 3:25pm

Finally...

the API_TOKEN variable must contain the FULL token.

So the header value itself ( API_TOKEN ) has to be <apiKeyName>:<keyValue>, where:

<apiKeyName> is the name of the API Key resource as configured in Platform → Security → API Keys (it's the map key used to look the token up).

<keyValue> is the random Base64-url string that POST /data/api/v1/api-token/generate returned in the key field (see ApiTokenRoutes.java:74-78) — e.g. p3wRdNxufWgMbovC14yPkr9o_GKJlno-K7c99LKexSo.

If $API_TOKEN is just the key value with no colon in it, the very first guard (Ignition platform code) fails, validateRequest returns Optional.empty(), the request is treated as unauthenticated, and the route's requirePermission(READ) check returns 403 — the same symptom as the HTTPS issue.

(thanks, Claude)