I have a protected service, but I need to create links for sharing purpose. So I came over this feature:
new ApiKeyAuthProvider(AppSettings) {
AllowInHttpParams=true
},
I'm calling the service, getting the API directly from the ApiKey table, and in the debug console I can even see the SQL, which is correct (select where id, and id is my api key) and matches an active user, but still I'm getting a 403 from ServiceStack.
The apikey query param is used. Https is used (with valid CA signed cert).
403 Forbidden indicates Authentication was successful (otherwise would return 401 unauthorized) but the authenticated user does not have access to the resource, e.g. they don't have the required roles or permissions.