After submitting an API call to Adyen, it is possible to receive a 403 Not Allowed or Forbidden error in the API response. It can come along with errorCodes: 010, 802 and 701. This response indicates that you are missing the right permissions. This means most likely your webservice user (eg. ws@Company.[YourCompanyAccount]) does not have the right roles for the request you are trying to make.
Below are the main causes and what you can do to solve this:
- If you are doing a payments request by sending in raw (unencrypted) cardholder data, you need the API PCI Payments role enabled for you webservice user. Please note that on test we can enable this for you, but on live you need to be fully PCI compliant. Therefore, if you are not fully PCI compliant, use our client-side solutions instead. To test a payment via a tool like Postman you can 'encrypt' test card details. To be granted the API PCI Payments on TEST role ask your admin to submit a request for this role. To have this role on LIVE, you have to be PCI Level 1 or Level 2 certified.
- If you are testing via one of our client-side solutions such as Drop-in or Components and are experiencing this error, it means that the webservice user is probably missing the Checkout webservice role. If so, please submit a request so we can enable this role for you on TEST. To have this role on LIVE, you have to be PCI SAQ-A compliant