API returns 403 (Cloudflare challenge) for server-side requests #131
Description
API returns 403 (Cloudflare challenge) for server-side requests
Hi 👋
We've been using the tints.dev API (/api/{hex}) successfully from our Laravel backend to generate color palettes. Recently, all our requests started receiving 403 Forbidden responses caused by Cloudflare's bot mitigation.
Details
- Endpoint:
GET https://www.tints.dev/api/401717 - Response:
403 Forbidden - Key response header:
cf-mitigated: challenge— indicating Cloudflare is serving a JS challenge/CAPTCHA instead of the API response - User-Agent:
GuzzleHttp/7(Laravel HTTP client) - Server: Hetzner (dedicated server), IP resolves to a German datacenter
What we expect
The /api/* endpoints should be accessible for server-to-server (machine-to-machine) requests without requiring browser-based challenge solving. This is the primary use case for a REST API.
Reproduction
A simple curl from a cloud server should reproduce this:
curl -v https://www.tints.dev/api/401717Suggestion
Could the Cloudflare WAF/Bot Fight Mode rules be adjusted to exempt the /api/* path from managed challenges? For example via a Cloudflare WAF custom rule:
(http.request.uri.path matches "^/api/")
→ Action: Skip / Allow
This would keep the rest of the site protected while allowing legitimate API consumers to reach the endpoints.
Thanks for this great tool — happy to provide any additional details if needed!