azure chatbot 403

Question

azure chatbot 403

XIANG Jirui (ME/ECO-CN) 0

when I test echo chatbot on azure bot web chat, it always returns 403

2026-04-13 09:53:39,591 [INFO] aiohttp.access - 10.244.17.9 [13/Apr/2026:09:53:39 +0000] "OPTIONS /api/messages HTTP/1.1" 403 286 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36 Edg/146.0.0.0"

checked with app_id and app password, it should be correct.

should I do config in web chat? how I config my token?

SRILAKSHMI C 18,035 Reputation points Microsoft External Staff Moderator

2026-04-13T12:23:41.95+00:00
Hello XIANG Jirui (ME/ECO-CN),

Thank you for reaching out to Microsoft Q&A.

Based on the error you’re seeing (HTTP 403 on OPTIONS /api/messages), the issue is most likely related to CORS (preflight request failure) or incorrect Web Chat / Direct Line configuration, rather than a problem with your bot logic itself.

Below is a clean, complete, and production-ready response with all code snippets properly filled.

From your logs:

OPTIONS /api/messages → 403

This is a CORS preflight request sent by the browser.

If this request fails:

The browser blocks the actual POST call Your bot never receives the message

So this must be resolved first.

Resolution

Verify Microsoft App ID and Password

In Azure Portal:

Navigate to your Bot resource → Settings

Copy: Microsoft App ID Client Secret (App Password)

Ensure your bot configuration matches exactly:

Example

MicrosoftAppId = "YOUR_APP_ID" MicrosoftAppPassword = "YOUR_APP_PASSWORD"

Or in environment variables:

MicrosoftAppId=YOUR_APP_ID MicrosoftAppPassword=YOUR_APP_PASSWORD

Use Direct Line

Instead of calling /api/messages directly from the browser, use the Direct Line channel.

Enable Direct Line

Go to Azure Portal → Bot Resource

Open Channels

Enable Direct Line

Copy the Direct Line Secret

A. Quick test

<!DOCTYPE html> <html> <head> <script src="https://cdn.botframework.com/botframework-webchat/latest/webchat.js"></script> </head> <body> <div id="webchat" style="width: 400px; height: 500px;"></div> <script> const directLine = window.WebChat.createDirectLine({ secret: 'YOUR_DIRECT_LINE_SECRET' }); window.WebChat.renderWebChat( { directLine: directLine }, document.getElementById('webchat') ); </script> </body> </html>

B. Recommended

Step 1: Generate token

curl -X POST https://directline.botframework.com/v3/directline/tokens/generate \ -H "Authorization: Bearer YOUR_DIRECT_LINE_SECRET"

Step 2: Use token in Web Chat

<script> const directLine = window.WebChat.createDirectLine({ token: 'YOUR_GENERATED_TOKEN' }); window.WebChat.renderWebChat( { directLine: directLine }, document.getElementById('webchat') ); </script>

Fix CORS in your bot backend

Since your error is on OPTIONS, your backend must allow CORS.

Example

from aiohttp import web import aiohttp_cors async def messages_handler(request): return web.Response(text="OK") app = web.Application() # Add route resource = app.router.add_resource("/api/messages") route = resource.add_route("*", messages_handler) # Configure CORS cors = aiohttp_cors.setup(app, defaults={ "*": aiohttp_cors.ResourceOptions( allow_credentials=True, expose_headers="*", allow_headers="*", allow_methods=["POST", "OPTIONS"] ) }) cors.add(route) web.run_app(app, host="0.0.0.0", port=3978)

Test connectivity manually

DNS / connectivity test

curl -v https://your-bot-url/api/messages

Expected:

TLS handshake succeeds

May return 401/405

Important architecture clarification

Not recommended

Browser --> /api/messages directly

Requires CORS Error-prone

Recommended

Web Chat --> Direct Line --> Bot

Azure handles: Authentication Token exchange Routing

This avoids most 403/CORS issues.

Please refer this

General troubleshooting for Azure Bot Service (HTTP status codes): https://learn.microsoft.com/azure/bot-service/bot-service-troubleshoot-general-problems?view=azure-bot-service-4.0#http-401-and-403

I Hope this helps. Do let me know if you have any further queries.

Thank you!
SRILAKSHMI C 18,035 Reputation points Microsoft External Staff Moderator

2026-04-14T17:35:17.7566667+00:00

Hi XIANG Jirui (ME/ECO-CN),

Did you get any chance to review the above response. Do let me know if you have any further queries.

Thank you!
XIANG Jirui (ME/ECO-CN) 0 Reputation points

2026-04-15T02:50:09.53+00:00
Hi Srilakshmi,

Sorry for just noticing your answer, thanks for it

There is the situation:

I have this python /api/messages endpoint deployed on AKS for production, which is strict for network, when I test it on azure bot web chat, returns 403 always, but somehow is fixed I think after setting AKS CORS, 403 gone. but face new issue

I have same code deployed on sandbox subscription's app service, shared same app_id, test on same azure bot (changed endpoint url in configuration), it works

I tried to use access token captured from app service, use curl -X POST https://xxxxx/api/messages to query AKS endpoint, it also works

Now , i don't receive any message from AKS endpoint, maybe it's something behind network issue.

Test on APP Service endpoint:

curl -X OPTIONS
curl -X OPTIONS "https://awfchatbot-hxccadgpc7bne6f2.germanywestcentral-01.azurewebsites.net/api/messages" \ -H "Origin: https://teams.microsoft.com" \ -H "Access-Control-Request-Method: POST" \ -H "Access-Control-Request-Headers: Authorization, Content-Type" \ -i
log: returns 200 OK

curl -X POST messages, works, return message

test on azure bot web chat, works

Test on AKS endpoint:

curl -X OPTIONS
curl -X OPTIONS "https://agentic-workflow-chatbot-preview.aid.bosch.com/api/messages" \ -H "Origin: https://teams.microsoft.com" \ -H "Access-Control-Request-Method: POST" \ -H "Access-Control-Request-Headers: Authorization, Content-Type" \ -i
without log returns 200, without OK

curl -X POST messages, works, return message (token captured from app service)

test on azure bot web chat, failed

thanks, if you get any clue.
Manas Mohanty 16,670 Reputation points Microsoft External Staff Moderator

2026-04-18T06:50:52.2133333+00:00

Hi XIANG Jirui (ME/ECO-CN)

From above discussion, it seems some of host URLS are getting blocked on Web chat interface while using AKS endpoint.

We need to whitelist AKS specific URLs in outbound rules/CORS or proxy/firewall for smooth communicaiton.

HAR trace in above screenshot shows 502 bad gateway error.

Could you help with the error message (502 bad gateway), HAR trace resource ,id of Bot Service, VNET etc along other details in private message to create support ticket and review with product group internally.

Attached relevant guide on network isolation reference

https://learn.microsoft.com/en-us/azure/bot-service/dl-network-isolation-how-to?view=azure-bot-service-4.0&tabs=network

Thank you.
Manas Mohanty 16,670 Reputation points Microsoft External Staff Moderator

2026-04-23T07:41:49.3933333+00:00

Hi XIANG Jirui (ME/ECO-CN)

Could you help with few details requested in private message to investigate from backend.

Thank you

1 answer

Your answer

SRILAKSHMI C 18,035 Reputation points Microsoft External Staff Moderator

2026-04-14T17:35:17.7566667+00:00

Hi XIANG Jirui (ME/ECO-CN),

Did you get any chance to review the above response. Do let me know if you have any further queries.

Thank you!
XIANG Jirui (ME/ECO-CN) 0 Reputation points

2026-04-15T02:50:09.53+00:00

Hi Srilakshmi,

Sorry for just noticing your answer, thanks for it

There is the situation:

I have this python /api/messages endpoint deployed on AKS for production, which is strict for network, when I test it on azure bot web chat, returns 403 always, but somehow is fixed I think after setting AKS CORS, 403 gone. but face new issue

I have same code deployed on sandbox subscription's app service, shared same app_id, test on same azure bot (changed endpoint url in configuration), it works

I tried to use access token captured from app service, use curl -X POST https://xxxxx/api/messages to query AKS endpoint, it also works

Now , i don't receive any message from AKS endpoint, maybe it's something behind network issue.

Test on APP Service endpoint:

curl -X OPTIONS
curl -X OPTIONS "https://awfchatbot-hxccadgpc7bne6f2.germanywestcentral-01.azurewebsites.net/api/messages" \ -H "Origin: https://teams.microsoft.com" \ -H "Access-Control-Request-Method: POST" \ -H "Access-Control-Request-Headers: Authorization, Content-Type" \ -i
log: returns 200 OK

curl -X POST messages, works, return message

test on azure bot web chat, works

Test on AKS endpoint:

curl -X OPTIONS
curl -X OPTIONS "https://agentic-workflow-chatbot-preview.aid.bosch.com/api/messages" \ -H "Origin: https://teams.microsoft.com" \ -H "Access-Control-Request-Method: POST" \ -H "Access-Control-Request-Headers: Authorization, Content-Type" \ -i
without log returns 200, without OK

curl -X POST messages, works, return message (token captured from app service)

test on azure bot web chat, failed

thanks, if you get any clue.
Manas Mohanty 16,670 Reputation points Microsoft External Staff Moderator

2026-04-18T06:50:52.2133333+00:00

Hi XIANG Jirui (ME/ECO-CN)

From above discussion, it seems some of host URLS are getting blocked on Web chat interface while using AKS endpoint.

We need to whitelist AKS specific URLs in outbound rules/CORS or proxy/firewall for smooth communicaiton.

HAR trace in above screenshot shows 502 bad gateway error.

Could you help with the error message (502 bad gateway), HAR trace resource ,id of Bot Service, VNET etc along other details in private message to create support ticket and review with product group internally.

Attached relevant guide on network isolation reference

https://learn.microsoft.com/en-us/azure/bot-service/dl-network-isolation-how-to?view=azure-bot-service-4.0&tabs=network

Thank you.
Manas Mohanty 16,670 Reputation points Microsoft External Staff Moderator

2026-04-23T07:41:49.3933333+00:00

Hi XIANG Jirui (ME/ECO-CN)

Could you help with few details requested in private message to investigate from backend.

Thank you

Answer 1

HTTP 403 from /api/messages in Azure Bot Web Chat usually means the bot service is rejecting the request due to configuration, authentication, or hosting issues, not that Web Chat itself needs extra token configuration.

Use the standard troubleshooting flow for Bot Framework authentication and bot configuration:

Verify the bot works locally without security
- In the bot code, temporarily disable security:
  - .NET: in appsettings.json set:
```
       "MicrosoftAppId": "",
       "MicrosoftAppPassword": ""
```
  - JavaScript: in .env configure the adapter with:
```
       const adapter = new BotFrameworkAdapter({
           appId: null,
           appPassword: null
       });
```
  - Python: in config.py:
```
       class DefaultConfig:
           APP_ID = None
           APP_PASSWORD = None
```
- Run the bot on localhost.
- Use Bot Framework Emulator and connect to http://localhost:<port>/api/messages with Microsoft App ID and Microsoft App Password left empty.
- If this fails, fix endpoint/port/path issues first (ensure /api/messages and correct port).
Re‑enable security and test locally
- Restore the correct MicrosoftAppId and MicrosoftAppPassword in the bot configuration.
- In Emulator, connect to http://localhost:<port>/api/messages and provide the same App ID and password.
- If this fails, the App ID/password pair is invalid or mismatched with the bot registration.
Confirm the bot is running and reachable in Azure
- In Azure portal, open the bot’s App Service (or hosting resource).
- From the Overview pane, copy the Messaging endpoint and open it in a browser.
  - If it returns HTTP 404 or 405, the bot is reachable and responding.
  - If the browser shows “This site can’t be reached” or similar, the bot is down and must be redeployed or started.
Test in Web Chat from the Azure Bot resource
- In Azure portal, open the Azure Bot resource.
- Use Test in Web Chat.
- If Web Chat shows errors and the App Service logs show 403 on /api/messages, check:
  - Messaging endpoint on the bot’s Settings page:
    - Must be correct and include /api/messages.
    - Must start with https and use a valid, chain‑trusted certificate.
  - App ID and password in the bot code match the values configured for the Azure Bot resource.
No extra token configuration is needed in Web Chat
- The built‑in Web Chat in the Azure portal uses the bot’s configured credentials and endpoint automatically.
- 403 errors are resolved by fixing:
  - Bot authentication (valid App ID/password in both bot code and Azure Bot resource).
  - Correct HTTPS messaging endpoint.
  - Ensuring the bot is deployed, running, and reachable.

Once the bot responds correctly in Test in Web Chat with security enabled and a valid HTTPS endpoint, the 403 errors should stop, and no manual token configuration in Web Chat is required.

References:

Share via

azure chatbot 403

1 answer

Your answer