Discussions
Back to 7shifts.comBecome a Partner

Discussions

Ask a Question
Back to all

API requests from our backend server return 403 with Cf-Mitigated: challenge (Turnstile interstitial)

9 days ago by Migelle Barlis

Hi 7Shifts API team,

Our backend service running on GCP (us-west region) is getting blocked by Cloudflare's bot management when calling /v2/* API endpoints, even though the same access token works perfectly when:

  • Called from our developer laptop (residential IP, HKG colo, returns 200)
  • Called via curl from the same backend server (returns 200)

Only the .NET HttpClient from the backend server is challenged. The request shape is identical to the working curl from the same machine (HTTP/1.1, Host, Accept, Authorization: Bearer , User-Agent: curl/8.0.1).

Cloudflare returns:
HTTP/1.1 403 Forbidden
Cf-Mitigated: challenge
Server: cloudflare
Content-Type: text/html

… Just a moment…

Example failing requests (CF-RAY values from our logs):
9fe27315098b0065-SJC 2026-05-19 10:34:30 UTC
9fe28239cb339913-SJC 2026-05-19 10:44:50 UTC

Endpoint: GET /v2/company/{companyId}/locations?deleted=false&limit=500
Companies affected: 187637, 187639, 360028, 360029
Server egress IP: <your GCP server's public IP — get it from curl ifconfig.me on the server>
Token (last 4 chars): 3838

Could you allowlist our server's egress IP in your Cloudflare zone, or adjust the bot-fight rule for /v2/* so authenticated requests bypass the challenge? The same token from a residential IP isn't challenged, so it appears to be an IP/ASN scoring rule on your CF zone.

Thanks!