Receiving 403 Forbidden response when creating orders

This is very similar issue to these two:

• Seemingly random 403 Forbidden - #9 by jndrdlx
• createOrder - 403 Forbideen response - #2 by sh-agent

We’ve started receiving 403 suddenly today and despite retrying the order creation they still seem to fail. On the other hand, when I tried to create test order via Postman it worked just fine (using the same bearer token etc.).

The ApolloError we receive is (timestamp: 2025-03-19T12:36:31.346417Z).

"error": {
  "name": "ApolloError",
  "message": "Response not successful: Received status code 403",
  "graphQLErrors": [],
  "clientErrors": [],
  "protocolErrors": [],
  "networkError": {
    "statusCode": 403,
    "result": "<html>\r\n<head><title>403 Forbidden</title></head>\r\n<body>\r\n<center><h1>403 Forbidden</h1></center>\r\n</body>\r\n</html>\r\n",
    "response": {
      "url": "https://public-api.shiphero.com/graphql",
      "status": 403,
      "bodyUsed": true,
      "type": "basic",
      "redirected": false,
      "body": {
        "locked": true
      },
      "headers": {},
      "ok": false,
      "statusText": "Forbidden"
    },
    "name": "ServerError"
  }
}

We received about 10 more errors like this in the next 30 min.

The mutation we use:

mutation CreateOrderInShipHero(
    $order_number: String!
    $partner_order_id: String!
    $first_name: String!
    $last_name: String!
    $address1: String!
    $address2: String!
    $city: String!
    $zip: String!
    $country: String!
    $state: String!
    $email: String!
    $sku: String!
    $quantity: Int!
    $partner_line_item_id: String!
    $price: String!
  ) {
    order_create(
      data: {
        order_number: $order_number
        partner_order_id: $partner_order_id
        shipping_address: {
          first_name: $first_name
          last_name: $last_name
          address1: $address1
          address2: $address2
          city: $city
          zip: $zip
          country: $country
          state: $state
          email: $email
        }
        line_items: {
          sku: $sku
          quantity: $quantity
          partner_line_item_id: $partner_line_item_id
          price: $price
        }
        shipping_lines: {
          carrier: "cheapest"
          method: "Economy Domestic"
          title: "Manual Order Shipping Method"
          price: "0.00"
        }
      }
    ) {
      request_id
      complexity
      order {
        id
        legacy_id
        order_number
        partner_order_id
        shop_name
        fulfillment_status
        order_date
        created_at
        line_items {
          total_count
          edges {
            node {
              id
              legacy_id
              sku
              partner_line_item_id
              product_id
              product_name
              fulfillment_status
              warehouse
              quantity_allocated
              warehouse_id
              locked_to_warehouse_id
              created_at
              updated_at
              order_id
            }
            cursor
          }
        }
        shipping_address {
          first_name
          last_name
          company
          address1
          address2
          city
          state
          state_code
          zip
          country
          country_code
          email
          phone
        }
      }
    }
  }

User:486349
Account:84583
shop-name: ship-hero-api

Hi Dominik,

We are looking into this and will let you know soon what we find.

Thank you.

Hi Dominik,

Please Private message me the following so i can escalate to engineering.

The full Request body with the variables input, The Headders on the request, as well as the full response from our api.

Thank you

I think I need to gain more trust levels on discourse to be able to send DM.

On March 19 we observed several more cases of 403 error:

[
  "2025-03-19T22:03:40.729619Z",
  "2025-03-19T22:03:03.364857Z",
  "2025-03-19T22:02:51.337183Z",
  "2025-03-19T22:02:02.716069Z",
  "2025-03-19T22:01:52.093165Z",
  "2025-03-19T22:01:25.571880Z",
  "2025-03-19T21:57:51.458998Z",
  "2025-03-19T21:55:50.813876Z",
  "2025-03-19T21:55:40.205292Z",
  "2025-03-19T21:54:50.689492Z",
  "2025-03-19T21:54:40.152188Z",
  "2025-03-19T21:54:09.573276Z",
  "2025-03-19T21:51:39.512159Z",
  "2025-03-19T21:50:49.515594Z",
  "2025-03-19T21:49:38.908102Z",
  "2025-03-19T21:48:48.903114Z",
  "2025-03-19T21:48:38.303225Z",
  "2025-03-19T21:48:07.592912Z",
  "2025-03-19T21:47:41.384852Z",
  "2025-03-19T21:47:10.815603Z",
  "2025-03-19T13:41:20.374976Z",
  "2025-03-19T13:40:06.280923Z",
  "2025-03-19T13:09:19.701537Z",
  "2025-03-19T13:08:05.646096Z",
  "2025-03-19T12:53:19.051999Z",
  "2025-03-19T12:52:04.939279Z",
  "2025-03-19T12:45:18.119709Z",
  "2025-03-19T12:44:04.339326Z",
  "2025-03-19T12:41:17.465056Z",
  "2025-03-19T12:40:03.603071Z",
  "2025-03-19T12:39:16.832582Z",
  "2025-03-19T12:38:16.209775Z",
  "2025-03-19T12:38:02.997530Z",
  "2025-03-19T12:37:45.657444Z",
  "2025-03-19T12:37:02.416939Z",
  "2025-03-19T12:36:31.346417Z",
  "2025-03-17T15:06:21.385410Z",
  "2025-03-17T15:06:13.394792Z",
  "2025-03-17T15:06:04.580008Z",
  "2025-03-17T14:38:54.891868Z"
]

This is the payload of the last reuqest passed to ApolloClient using the mutation above

{
  "city": "redacted",
  "country": "US",
  "state": "CA",
  "email": "redacted@redacted.com",
  "address1": "P.o. Box redacted",
  "price": "0.00",
  "zip": "redacted",
  "partner_order_id": "f6c3ffc5-1e85-491f-8868-57d7e98aa619",
  "address2": "",
  "first_name": "redacted redacted",
  "sku": "redacted",
  "partner_line_item_id": "qGrMKufHtv4UWZa7H5oliANOcwQVC64GNITcVidqYAKbB",
  "quantity": 1,
  "order_number": "383546202",
  "last_name": ""
}

{
  "jsonPayload": {
    "error": {
      "networkError": {
        "statusCode": 403,
        "name": "ServerError",
        "result": "<html>\r\n<head><title>403 Forbidden</title></head>\r\n<body>\r\n<center><h1>403 Forbidden</h1></center>\r\n</body>\r\n</html>\r\n",
        "response": {
          "type": "basic",
          "body": {
            "locked": true
          },
          "status": 403,
          "bodyUsed": true,
          "statusText": "Forbidden",
          "ok": false,
          "redirected": false,
          "url": "https://public-api.shiphero.com/graphql",
          "headers": {}
        }
      },
      "cause": "[Circular]",
      "name": "ApolloError",
      "message": "Response not successful: Received status code 403",
      "protocolErrors": [],
      "clientErrors": [],
      "graphQLErrors": []
    },
    "message": "Error: Failed to create order"
  },

  "timestamp": "2025-03-19T22:03:40.729619Z",
  "severity": "ERROR"
}

I made a change to our logging to start tracking more details than just response. Will update my message once I see this again.

Thank you,

you should also be able to send the details to Support@shiphero.com

We haven’t seen this issue in few days now, I’ll share details if it happens again