403 Forbidden when creating pledge via Giving API despite administrator permissions

[nicolasguzca]

Affected Product
Giving

Describe the bug
We are attempting to create pledges via the Planning Center Giving API and consistently receive a 403 Forbidden response, even though the authenticated user has administrator permissions in Giving. This behavior appears inconsistent because the same credentials successfully authenticate and can read Giving data, including campaigns and the /giving/v2/me endpoint.

To Reproduce

1. Authenticate using a Personal Access Token via HTTP Basic Auth
2. Send a POST request to:
   POST /giving/v2/people/{person_id}/pledges
3. Include a valid request body with:
   • amount_cents
   • person_id
   • pledge_campaign_id
4. Observe the response

Expected behavior
The pledge should be successfully created when using a user with Giving administrator permissions.

Screenshots
N/A

Additional Context:

• Endpoint: POST /giving/v2/people/{person_id}/pledges
• Language: Node.js (TypeScript)
• Authentication: Personal Access Token (HTTP Basic Auth)

Additional context
Authentication and read operations work as expected:

• GET /giving/v2/me returns "administrator" permissions
• Able to read campaigns and other Giving resources

Tested with:

• Multiple users with Giving administrator permissions
• Valid campaign (ID: 18018)
• Valid person (ID: 109177222)

Error returned:
{
"errors": [
{
"status": "403",
"title": "Forbidden",
"detail": "You do not have access to this resource",
"meta": {
"description": "User cannot create a Pledge."
}
}
]
}

We would like clarification on:

1. Whether additional organization-level permissions are required to create pledges via API
2. Whether Giving administrator role is sufficient for pledge creation
3. Whether there are any limitations or special setup required for this endpoint
4. Why read operations succeed but create operations fail with the same credentials

I have..

• Reviewed the documentation found at https://developer.planning.center/docs
• Searched for previous issues reporting this bug
• Removed all private information from this issue (credentials, tokens, emails, phone numbers, etc.)
• Reviewed my issue for completeness

[github-actions]

Potentially Related Issues

I found some existing issues that may be related to this one. Please check if any of them address your question before waiting for a response:

🟢 #1431 — Unable to create pledges via API – POST /giving/v2/people/{personid}/pledges returns 403 (Open)

Summary: User attempting to create pledges via POST /giving/v2/people/{person_id}/pledges receives 403 Forbidden despite having admin permissions. This is nearly identical to the new issue - same endpoint, same error, same auth success pattern, but still open without resolution.

Key discussion points:

• User confirmed authentication works - People API and Giving API read requests return 200
• Tested with multiple admin users and tokens, all receiving same 403
• Tested both via Apps Script and direct curl with HTTP Basic authentication
• Bot suggested related issue Unable to Post donations via API, 403 error #1360 about donations, but user clarified they're trying to create pledges, not donations
• PCO staff member @sheck acknowledged seeing a potential issue and indicated need to discuss with team before responding

🟣 #1360 — Unable to Post donations via API, 403 error (Closed)

Summary: User received 403 Forbidden when attempting to POST donations despite successful authentication and admin permissions. The issue was using the wrong endpoint structure.

Key discussion points:

• User had proper authentication (200 response), included User-Agent header, had bookkeeping access and admin permissions
• Could successfully create batches and query People API
• Error was 'User with id 24496760 cannot create a Donation' despite having proper permissions

Resolution: Resolved by using the correct nested endpoint /giving/v2/batches/{batch_id}/donations instead of the top-level /giving/v2/donations endpoint. The Giving API requires donations to be created through a batch-specific nested endpoint, though reading/updating can use the top-level endpoint. This is documented in the Donation API docs under the 'Creating' section. However, this resolution does NOT apply to the pledge creation issue, as pledges use a different endpoint structure.

🟣 #1313 — API returns random 403 errors in the middle of donation creation batch (Closed)

Summary: User experienced intermittent 403 errors during donation creation batches via OAuth2, with some requests succeeding and others failing in the same batch. This was related to WAF blocking, not permissions.

Key discussion points:

• Random 403 errors occurring during batch donation uploads to /giving/v2/batches/{batch_id}/donations
• Error response referenced CloudFront, indicating WAF/infrastructure-level blocking
• PCO had recently made WAF rule tweaks that were catching legitimate API requests
• Issue was intermittent - some donations posted successfully while others in same batch received 403

Resolution: Resolved by adding a User-Agent header to all API requests. PCO's WAF rules were updated to require User-Agent headers, and requests without them were being blocked with 403 errors. After implementing User-Agent headers, the 403 errors stopped occurring. This is a different root cause than permission-based 403 errors - it was infrastructure-level blocking rather than authorization issues.

---

This comment was generated automatically. If none of these match your issue, no action is needed — a team member will review your issue soon.