Zotero API returns 403 or silent failures when called from FastAPI tool used in GPT integration

[Davod Shah]

Hi all,

I’m developing a public-facing FastAPI tool that integrates with the Zotero Web API. This tool is used as part of a custom GPT assistant to allow users to:

• Retrieve their Zotero collections
• Add items to specific collections
• Create new collections

Implementation Details:

• The tool is hosted on Render and exposes endpoints like /zotero/collections, /zotero/items, and /zotero/add.
• Because GPT’s Actions platform (custom API integration) does not support header-based auth, I’m passing the Zotero api_key and user_id as query parameters, e.g.:

url = f"https://api.zotero.org/users/{user_id}/collections?key={api_key}"

response = requests.get(url)

• I’ve added URL encoding and logging to ensure the key is transmitted correctly.
• The tool works fine when tested manually in a browser or Postman using the same parameters — the collections are returned successfully.

The Problem:

• When GPT invokes the tool and the backend attempts to call the Zotero API, the request either:
  
• Returns a 403 Forbidden with the message “User does not have access to this resource”, or
• Fails silently — i.e., Zotero returns no structured error, and GPT receives no valid response
• This happens only when the request is relayed via the backend (Render-hosted FastAPI app) — not when directly testing the same URL in a browser with the same key and user ID.
• The Zotero key has full read/write access to the personal library, and the user ID is correct.

Questions:

1. Are there any restrictions or edge cases when calling the Zotero API from cloud-hosted backend services (like Render)?
2. Are query parameter API keys (?key=...) still fully supported, or are there scenarios where header-based auth is required?
3. Could Zotero rate limits, User-Agent restrictions, or internal IP blocks be causing this discrepancy?
4. Are there known failure modes where Zotero may respond inconsistently depending on client environment or request headers?

Any suggestions would be appreciated. I’m happy to provide logs, request URLs (redacted), or more backend details if helpful.

Thanks, Davod 

[Dan Stillman]

The API can return a 403, but "User does not have access to this resource" isn't a message from the API.

If you provide the userID in question (either here or in an email to sup...@zotero.org referencing this thread) and the timestamp of a request, we can take a look.

- Dan

[Davod Shah]

Dear Dan,

Thank you. My user ID is 12584918

And when I check my render log, having hosted the API on Render, no request comes through. There are no issues when I manually do the query in my browser, as I previously described.

Kind regards, Davod Shah

On 12 Apr 2025, at 15:19, Dan Stillman <dsti...@zotero.org> wrote:

 The API can return a 403, but "User does not have access to this resource" isn't a message from the API.

--
You received this message because you are subscribed to the Google Groups "zotero-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zotero-dev+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/zotero-dev/010001962a5e7d96-6ded55a9-7b7e-4457-a804-565a1f548b26-000000%40email.amazonses.com.

[Dan Stillman]

On 4/12/25 11:29 AM, Davod Shah wrote:

And when I check my render log, having hosted the API on Render, no request comes through.

I'm not sure what you mean by this.

In any case, we'd need the exact time of a request. I'm not seeing any third-party requests using that key, though, so I'd guess that the requests aren't making it to us at all.

- Dan