If your API integration is returning denied or forbidden errors, this is typically caused by an issue with credentials, request parameters, or permissions. Here is how to diagnose and resolve the most common causes.
"Denied" Responses
A denied response usually means one of the following:
• The customer failed the bank verification step (incorrect credentials, MFA failure, or bank-side timeout)
• The request parameters are incorrect or incomplete
• The customer does not meet the verification criteria configured for your account
Action: Review your request payload and confirm the customer was able to complete the IBV flow successfully. If the issue persists for multiple customers, contact Merchant Support with a sample request ID.
"Forbidden" Responses
A forbidden error indicates an authentication or permissions issue at the API level:
• Invalid or expired API key
• Missing or incorrect lender ID in the request
• Insufficient permissions for the endpoint being called
• Mixing sandbox and production credentials
Action: Double-check your API key, lender ID, and confirm you are using the correct environment endpoint (sandbox vs. production). If you recently rotated your API key, ensure the new key has been applied across all
services.
Next Steps
If neither of the above resolves the issue, open a Merchant Support ticket and include:
• The affected API endpoint
• A sample request (with credentials redacted)
• The full error response
• The date and time of the failure