Help: API call remoteFetchAsync() returning "403 Forbidden" yet works in Postman

I’m having trouble calling an external API ( from an Airtable scripting app using remoteFetchAsync().

This is what I’ve tried:

// Change this name to use a different table
let table = base.getTable("🎬 Projects");

// Prompt the user to pick a record 
// If this script is run from a button field, this will use the button's record instead.
let record = await input.recordAsync('Select a record to use', table);

if (record) {
    // Customize this section to handle the selected record
    // You can use record.getCellValue("Field name") to access
    // cell values from the record
    output.text(`You selected this record: ${}`);

const teamId = 'team_id_hidden_for_security';
const resp = await remoteFetchAsync(
    method: 'POST',
    headers: {
      'Content-Type': 'application/json',
      Authorization: 'Bearer token_hidden_for_security'
    body: JSON.stringify({
      private: false,
      project_preferences: {
        collaborator_can_download: true,
        collaborator_can_invite: true,
        collaborator_can_share: true,
        notify_on_new_asset: true,
        notify_on_new_collaborator: true,
        notify_on_new_comment: true,
        notify_on_updated_label: true,
        notify_slack: true


} else {
    output.text('No record was selected');

which results with

{type: "basic", url: "", status: 403, statusText: "Forbidden", ok: false…}
type: "basic"
url: ""
status: 403
statusText: "Forbidden"
ok: false
headers: Object
redirected: false

I am successful making this call from Postman so I’m wondering if this is CORS related… but I thought using remoteFetchAsync() might resolve that. Could this be related to the “redirect: follow” option mentioned in other posts? What am I doing wrong here?

I’ve hidden my actual team ID and bearer token in my code above for security reasons.

Thank you for your help.

Everything looks good on the surface. I haven’t used the API, so there might be some idiosyncrasy with it that requires a different approach. If they have a user community forum, you might consider posting there for input.

The only thing I can offer which may or may not help is this: with an API call that I make, I also include this in the headers section:

Accept: 'application/json'

Maybe try adding that and see if it cooperates. It’s a long shot, but worth a try.

Appreciate the suggestion! I added it and unfortunately still get the same 403 error result. Glad to know that it appears correct however. Thanks

@Justin_Barrett So I contacted support and they requested the public IP address of the server making the call. I’m guessing they need to whitelist the server for incoming server-server traffic. Do you happen to know if this is typically accessible to Airtable users? Thanks!

@Stephen_Orr Sorry, but I’ve not encountered this IP whitelisting requirement before, so I don’t know how willing Airtable support will be about giving it out. I obviously don’t recommend posting it here if you do obtain it, but it would be good to know if it’s even available.

This topic was solved and automatically closed 15 days after the last reply. New replies are no longer allowed.