API access blocked from Power Automate

I have a client from Norway who is trying to access my website’s API via Microsoft Power Automate. However, Cloudflare’s anti Bot system is engaging in a javascript challenge which prevents my client from accessing the API. One other issue is my client must be able to use different IP addresses at different moments, so I can’t simply whitelist their addresses, it has to be flexible for new addresses each time. The only option which seems to work at the moment is if my client sets the IP to a specified region, and I whitelist that region, but that opens up the possibility of threats coming from that region address. I would appreciate suggestions on how to handle this issue.

The only way to bypass Bot Fight Mode / Super Bot Fight Mode is with IP addresses.

If that doesn’t work for you, the only option is to disable BFM/SBFM and setup your own firewall rules to manage unwanted traffic (i.e with Threat Score and other fields) - https://developers.cloudflare.com/ruleset-engine/rules-language/fields/

Bot Management offers a lot more flexibility but that is exclusively an add-on for Enterprise plans.

Thank you, I will look into the other fields that are available

1 Like