Why Is My Salesforce Webhook Returning “FORBIDDEN”?

Why Is My Salesforce Webhook Returning “FORBIDDEN”?

On June 16, 2025, Posted by , In Apex,Salesforce Technical Questions, By ,, , With Comments Off on Why Is My Salesforce Webhook Returning “FORBIDDEN”?
Why Is My Salesforce Webhook Returning FORBIDDEN

Question

I recently set up a Stripe Webhook endpoint in our Salesforce sandbox, and it worked perfectly when tested via Postman and Stripe. However, after deploying it to production, I started encountering the following error whenever I tried to access the endpoint via Postman or directly in a browser:

<Errors>
  <Error>
    <errorCode>FORBIDDEN</errorCode>
    <message>You do not have access to the Apex class named: StripeWebhookHandler</message>
  </Error>
</Errors>

I ensured that the guest user had access to the Apex class marked with @RestResource, and the site is activated. The Apex class is enabled for the guest user, and I even created a Permission Set, added StripeWebhookHandler, and assigned it to the guest user. Despite these steps, I still receive the “FORBIDDEN” error.

This setup worked fine in sandbox, so I know that my configuration was correct there. The only change since deploying to production is that a couple of managed packages have been installed, one of which also uses an endpoint.

Has anyone encountered this issue before? Could the newly installed managed packages or another security setting be interfering with the guest user’s access? What else should I check to resolve this issue?

Answer

1. Verify Guest User Permissions

Even if the Apex class was previously accessible, changes in configuration might have affected its availability. To verify:

  1. Go to Setup > Sites and open the Site Detail Page for your endpoint.
  2. Click Public Access Settings.
  3. Click View Users and select the guest user (e.g., Your Site Name Site Guest User).
  4. Check if the correct Permission Set is assigned to this user.
  5. Open the Permission Set and confirm that the Apex Class (StripeWebhookHandler) is still assigned.
    If the class is missing, reassign it and test the webhook again.

2. Double-Check Site URL and API Access

Ensure you are using the correct production Site URL. The sandbox URL differs from the production one. Try accessing the endpoint directly in your browser:

https://your-site.force.com/services/apexrest/StripeWebhookHandler

If it still returns “FORBIDDEN,” API access could be restricted at the org level.

3. Check for Conflicts with Managed Packages

Since a managed package was installed recently, it’s worth checking whether it modified any security settings. Some packages create custom Site Guest User Profiles or override permission sets. Try the following:

If possible, temporarily uninstall the package and test the webhook again.
Review the Installed Packages and their Permission Sets in Setup.
Check if the Guest User Profile was altered after the package installation.

4. Use a Debug Log to Diagnose the Issue

Enable debug logs for the Guest User to see if Salesforce is blocking the request at a deeper level:

  1. In Setup, go to Debug Logs.
  2. Click New and select the Guest User.
  3. Replicate the webhook request and review the log for access issues.
    Look for permissions-related errors or unexpected Apex runtime errors.

5. Consider a Workaround: Using an Authenticated User

If guest user access continues to be an issue, consider using named credentials and an authenticated user instead of a public guest user. This ensures that API requests are properly authenticated and avoid unauthorized access issues.

This issue is often caused by missing guest user permissions, profile changes due to managed packages, or incorrect site configurations. Start by verifying that the guest user still has the correct permission set and that no settings have changed after installing new packages. Debug logs can also help pinpoint the exact cause of the “FORBIDDEN” error.

If all else fails, consider using an authenticated approach instead of relying on the guest user. Let me know if you need more details!

Enroll for Salesforce Training Designed for Career Building Success

Our Salesforce Course is expertly designed to provide a comprehensive understanding of the Salesforce platform, equipping you with the essential skills to excel in the CRM industry. The program covers key modules such as Salesforce Admin, Developer, and AI, combining theoretical learning with hands-on practice. Through real-world projects and practical assignments, you will develop the expertise needed to solve complex business challenges effectively using Salesforce solutions. Our skilled instructors ensure you gain both technical proficiency and industry insights to thrive in the Salesforce ecosystem.

Beyond technical training, our Salesforce Training in San Francisco includes personalized mentorship, certification guidance, and interview preparation to enhance your career opportunities. You’ll receive access to extensive study materials, hands-on project experience, and dedicated support throughout your journey. By the end of the program, you will be well-prepared for certification exams and possess the real-world problem-solving skills employers value. Take the first step in your Salesforce career with us—join a Free Demo today!

Comments are closed.