403 Error When Booking via API – CloudFront HTML Block

[pharrisenterprises]

Hi Cal.com Dev Team,

We're trying to integrate Cal.com appointment booking into a backend conversational agent (Retell AI), but we're hitting a persistent 403 error that appears to originate from CloudFront, not your actual API. We’re hoping you can help confirm whether the API request structure or authentication needs adjustment.

Here are our details:

📌 Endpoint:
POST https://api.cal.com/v2/bookings?cal-api-version=2024-08-13

📌 Headers:

• Content-Type: application/json
• Authorization: Bearer cal_live_a6812afea4c564e3c128086a2bfe831a

📌 Request Body:

{
  "eventTypeId": 2921023,
  "start": "2025-08-05T14:00:00Z",
  "end": "2025-08-05T14:15:00Z",
  "timeZone": "America/New_York",
  "language": "en",
  "attendee": {
    "name": "Test User",
    "email": "test@example.com"
  },
  "responses": {
    "name": "Test User",
    "email": "test@example.com"
  }
}


📌 Error Response:


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" ...>
<H1>403 ERROR</H1>
<H2>The request could not be satisfied.</H2>
Request ID: 45jiKBfcBbq0-hcJo7CXUIWHEbB4mre0nR5mdJygUI11C2I0woyoXg==
Generated by cloudfront (CloudFront)


We've confirmed:

The eventTypeId exists and is linked to our account

API key is valid and matches the event

All required fields (including responses, attendee, start, end, etc.) are present

Using recommended query param cal-api-version=2024-08-13

Is there anything else needed in the headers or payload to bypass this CloudFront block? Does API-based booking require an Enterprise plan or additional permissions?

We appreciate any guidance you can offer — thank you!

[dosubot[bot]]

Hi @pharrisenterprises! I'm Dosu and I’m helping the cal.com team.

Your API request structure and authentication look correct, and there’s no evidence that API-based booking requires an Enterprise plan—access is determined by the permissions on your API key, not your plan tier. The /v2/bookings endpoint expects the Authorization header with your Bearer token and the cal-api-version header set to 2024-08-13, which matches your setup. If a required field is missing or invalid, the API returns a 400 error, not a 403, so your payload is not the issue [source].

A 403 from CloudFront points to an infrastructure-level block, not an application-level one. This can happen if CloudFront or a WAF is blocking requests based on missing headers (like User-Agent), suspicious patterns, IP restrictions, or bot detection. There are no CloudFront-specific requirements or custom headers enforced by the Cal.com API itself [source].

One common pitfall: the correct endpoint path is /api/v2/bookings, not /v2/bookings. Using the wrong path can result in errors or unexpected behavior [source].

Checklist to troubleshoot:

• Make sure you’re POSTing to https://api.cal.com/api/v2/bookings (note the /api prefix).
• Add a standard User-Agent header if you’re making requests from a backend or script.
• If possible, try from a different IP/network to rule out IP-based blocks.
• Double-check that your API key has BOOKING_WRITE permissions for the event type.
• If you’re behind a proxy or firewall, ensure it isn’t stripping or modifying headers.

If you’re still seeing a CloudFront 403 after these checks, it’s likely due to a WAF or CloudFront rule outside the Cal.com application layer.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}