Carje

Sorry for the delay. I was too tired last night and misunderstood your question. There is a new token for every login. I finally managed to get someone to talk with their tech, and apparently there was an "internal" problem (didn't give me any real answer), although it was working through Postman. I don't know what it was but now works with no issues.

It's the same token every time. As I said before. the first thing I did was to replicate what the browser was doing.

No

I tried to get the headers with many different codes and finally got something: HTTP/2 403 server: nginx date: Sun, 12 Apr 2020 21:30:19 GMT content-type: application/json content-length: 23 vary: Accept-Encoding x-powered-by: PHP/7.3.4 access-control-allow-headers: API_TOKEN access-control-allow-origin: * {"message":"Forbidden"}403 I have also tried to make the request through jQuery-Ajax (just to test) and I get this error in console: GET https://api.domain.co/data/network.php?action=balance&id=##### 403 I am not very experienced. If you have any suggestions on how to get more info/logs/messages, that will be appreciated.

I'm trying to get some data from an API with php-cURL. I went to Chrome Developer Tools and copied as cURL (as I usually do): curl 'https://api.domain.co/data/network.php?action=balance&id=#####' -H 'authority: api.domain.co' -H 'pragma: no-cache' -H 'cache-control: no-cache' -H 'accept: application/json, text/javascript, */*; q=0.01' -H 'sec-fetch-dest: empty' -H 'api_token: #######################' -H 'user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36' -H 'origin: https://app.domain.com' -H 'sec-fetch-site: cross-site' -H 'sec-fetch-mode: cors' -H 'referer: https://app.domain.com/' -H 'accept-language: en-US;q=0.9,en;q=0.8,de;q=0.7,ru;q=0.6,en-GB;q=0.5' --compressed I converted the code to php-cURL and placed it in my page: $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, 'https://api.domain.co/data/network.php?action=balance&id=#####'); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'GET'); curl_setopt($ch, CURLOPT_ENCODING, 'gzip, deflate'); $headers = array(); $headers[] = 'authority: api.domain.co'; $headers[] = 'pragma: no-cache'; $headers[] = 'cache-control: no-cache'; $headers[] = 'accept: application/json, text/javascript, */*; q=0.01'; $headers[] = 'fec-fetch-dest: empty'; $headers[] = 'api_token: #######################'; $headers[] = 'user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36'; $headers[] = 'origin: https://app.domain.com'; $headers[] = 'sec-fetch-site: cross-site'; $headers[] = 'sec-fetch-mode: cors'; $headers[] = 'referer: https://app.domain.com/'; $headers[] = 'accept-language: en-US;q=0.9,en;q=0.8,de;q=0.7,ru;q=0.6,en-GB;q=0.5'; curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); $result = curl_exec($ch); if (curl_errno($ch)) { echo 'Error:' . curl_error($ch); } curl_close($ch); print_r($result); And I got the following response: {"message":"Forbidden"} I played around with the headers and other cURL parameters, but with no success. Then I said I should try with Postman, and imported the code from Chrome to Postman, and voilà, it worked. At this point, I thought that maybe I wasn't converting the code properly. So I took the code from Postman Code Generator as PHP - cURL and placed it in my page, only to get the same result as before: $curl = curl_init(); curl_setopt_array($curl, array( CURLOPT_URL => "https://api.domain.co/data/network.php?action=balance&id=#####", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 0, CURLOPT_FOLLOWLOCATION => true, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "GET", CURLOPT_HTTPHEADER => array( "authority: domain.co", "pragma: no-cache", "cache-control: no-cache", "accept: application/json, text/javascript, */*; q=0.01", "sec-fetch-dest: empty", "api_token: #######################", "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36", "origin: https://app.domain.com", "sec-fetch-site: cross-site", "sec-fetch-mode: cors", "referer: https://app.domain.com/", "accept-language: en-US;q=0.9,en;q=0.8,de;q=0.7,ru;q=0.6,en-GB;q=0.5" ), )); $response = curl_exec($curl); curl_close($curl); echo $response; Again I tried to play with different headers (Also checked in Postman what headers are mandatory and tried only with those - but nothing). PS: I have cleared my cache and cookies, also tried with different browsers and different user-agent. I am using this method for many other API's, but with this one, I can't figure out what I'm doing wrong