Dear colleagues,
Currently the RIPE Atlas REST API (https://atlas.ripe.net/api/v2/)
returns a 403 Forbidden status code in two cases:
* When a request requires authentication but the user has not provided
any credentials, or has provided incorrect credentials
* When a user has authenticated correctly, but they or their API key
lacks the permissions needed for a particular request
Distinguishing between these two cases is important because in the first
case the client can potentially get access by authenticating, and in the
second case there is no point in retrying authentication with the same
credentials.
In order to enable this distinction, and to generally conform to web
standards and best practices, on Monday, 2nd October we will change the
REST API so that a completely unauthenticated request will receive a
response with a 401 Unauthorized status code. The 403 Forbidden status
code will still be returned for users and API keys that are
authenticated but lack the necessary permissions for the request.
As a temporary migration measure, the API will keep the same behaviour
(always return 403) if either:
* The "Referer" header contains "RIPE Atlas Tools" and a version string
<= 3.1.1, or
* An "X-Compat" header is set and contains the string "auth-2022"
This temporary measure is guaranteed to work for the rest of 2022, after
which it will be removed and the API will always make the 401/403
distinction.
Kind regards,
Chris Amin
RIPE Atlas team
