Central API 403 (Forbidden)

Getting a 403 (Forbidden) from CrowdSec Central API (CAPI) means your Security Engine requests are blocked or your IP is rate limited.
This is commonly caused by misconfiguration and triggers a 1-hour ban from CrowdSec API.

info

CAPI restrictions apply only to free users. Enterprise users are not impacted.

What Triggers This Issue

• Trigger condition: Amount of logins exceeds thresholds.
• Criticality: ⚠️ High
• Impact: No enrollment, no metrics, no decisions, and no reputation sharing updates

Common Root Causes

• CrowdSec containers restart loop: CrowdSec containers stuck in a restart loop.
• cscli capi status spam: Integrations or 3rd party software using cscli capi status too often.
• Misconfiguration or multiple instances: Duplicate engines or invalid tokens trigger repeated logins.

Diagnosis & Resolution

Temporary ban due to login bursts

In CAPI login, every IP using a free account can be blocked for 1 hour when thresholds are exceeded:

• Non Sharing, not enrolled: more than 20 logins in 50 minutes
• Sharing, not enrolled: more than 20 logins in 50 minutes
• Enrolled, non sharing: more than 20 requests in 50 minutes
• Enrolled, sharing: more than 20 requests in 50 minutes
• Non-free users: this restriction does not apply

🔎 Check for repeated login attempts

Look for repeated CAPI login failures or bursts:

SH

sudo journalctl -u crowdsec -n 100

If you see many login attempts in a short period, you likely hit the temporary ban.

🔎 Inspect engine activity

Check that the engine is stable and not in a crash loop:

SH

sudo systemctl status crowdsec

SH

sudo journalctl -u crowdsec -n 50

Check logs for Docker

SH

docker compose up

Crash loops can trigger repeated logins, resulting in 403s.

🛠️ Wait for ban expiry and reduce login frequency

Wait 1 hour for the ban to expire, then ensure the engine is not repeatedly re-authenticating.

If you run multiple instances behind the same NAT, consider using one LAPI instance or reducing reconnection frequency to avoid bursts.

🛠️ Stabilize the engine

Resolve the underlying crash or restart loop before retrying CAPI:

SH

sudo systemctl restart crowdsec

Misconfiguration or multiple instances

Running multiple instances from the same public IP can trigger rate limiting.

Verify Resolution

After making changes:

Restart or reload CrowdSec: sudo systemctl restart crowdsec

1. Check engine status:

   SH

   sudo cscli console status

2. Check CAPI connectivity:

   SH

   sudo cscli capi status

If CAPI returns 200/204 and your console status is OK, the 403 is resolved.

Known Issues

3rd party software or related issues:

• Pangolin
• CrowdSec Issue

Related Issues

• Security Engine Troubleshooting - General Security Engine issues
• Network Management - Console and CAPI endpoints

Getting Help

If you still get 403 responses from CAPI:

• Check Discourse for similar cases
• Ask on Discord with your sudo cscli support dump output