I created a thing (my first) and wrote a simple service to return the current UTC date time. There is no input parameter and the only output is the datetime value. Pressing the Test button on the Service listing in the Composer seems to work okay. But when I use Postman to send a service request via an HTTP POST the service returns HTTP 403 Forbidden. The POST message has the correct URI as far as I can tell. I have included the appKey associated with my User account in the header and made sure my user account has full access to the thing and the service.
The explanation of HTTP 403 suggests the form of the service request in Postman is correct but the server is actively refusing to honor it and not because of insufficient privilege.
How do I debug this?
Solved! Go to Solution.
Okay, this works and my REST API service request is getting 200 OK response and correct data.
Reading the help on the Platform Subsystem | Configuration settings suggests that the new settings go against the "best practice" and expose the application to cross-site request forgery, so the solution has consequences that go beyond making a simple service request work. I'll need to research this further.