Forbidden requests (1009) on Square API Requests

We just started receiving “[HTTP/1.1 403 Forbidden] error code: 1009” on all our Square API requests from our website ( This started either late Sunday or early Monday. We also make Square API requests from our internal accounting system and they are working fine. I believe the requests from both systems are identical.

The location for requests: RFX4FGQR6D2C5

Is there anything on your end to identify the problem?

Thanks for your help!

What’s the IP address of the traffic that’s being blocked? :slightly_smiling_face:

IP is

Thanks for your help!


What are the endpoints your calling? :slightly_smiling_face:

The simplest one is /v2/locations. A request to list our locations is getting the Forbidden response. It’s something that has been running well for years and stopped working in the last day or two. I have disabled our website until we get it working again.

Okay, great. The team is looking into this. :slightly_smiling_face:

Note sure if this is helpful, but here is the response headers when I try to request a list of locations from the v2/locations endpoint:

Caught exception!
Response body:
string(16) "error code: 1009"

Response headers:
array(12) {
  string(22) "HTTP/1.1 403 Forbidden"
  string(29) "Wed, 07 Jun 2023 05:34:50 GMT"
  string(25) "text/plain; charset=UTF-8"
  string(2) "16"
  string(10) "keep-alive"
  string(10) "SAMEORIGIN"
  string(11) "same-origin"
  string(82) "private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0"
  string(29) "Thu, 01 Jan 1970 00:00:01 GMT"
  string(261) "__cf_bm=s9PQLuRP9zSCKZVghX1j06KR19TLrlG3MIvAjsSjWz8-1686116090-0-AYUdjqhssmFFkdoGLCFjXItu7VtcqPGhylDwf7pX4yTI7dpII7gKUogkJsbJTUk9kRdt4jWWc9dIlYWFMFkm1wM=; path=/; expires=Wed, 07-Jun-23 06:04:50 GMT;; HttpOnly; Secure; SameSite=None"
  string(10) "cloudflare"
  string(20) "7d36873d6f0b2b1b-MCI"

Our Square API requests are working again! Although I do not know why they started working. I tried a few things yesterday, like disabling the firewall and rebooting our server, but none of it made a difference. I did see our server is listed on the UCEPROTECTL3 blacklist, which seems to happen from time to time. We are still listed on it as of this morning, but our API requests are working now!

Brian - thanks for working on this. It would be helpful to know if your team was able to track down a problem that was causing our API requests to fail. Are we missing something from our requests, such as versioning info, that caused the problem?

There was an issue on our end and the team deployed a fix to allow the traffic. Thanks for bringing this to our attention. :slightly_smiling_face: