Production API and vercel dev blocked by X-Vercel-Mitigated challenge (403) / false CORS

tessdashservices-744 · May 14, 2026, 2:42pm

Project: tess-vercel-api
Plan: Hobby

Issue started suddenly without code changes or redeploy.

Symptoms:

Production API requests now fail with browser CORS errors, but actual response is:
- HTTP 403 Forbidden
- X-Vercel-Mitigated: challenge
- Content-Type: text/html
Direct API request to:
https://tess-vercel-api.vercel.app/api/tessapp-apx?action=organisationAdminPortalGetOrganisation
returns Vercel challenge instead of reaching server.
vercel dev also fails during setup with:
Error: invalid json response body at https://vercel.com/.well-known/openid-configuration reason: Unexpected token ‘<’, "<!DOCTYPE "… is not valid JSON

Diagnostics:

Browser opening https://vercel.com/.well-known/openid-configuration returns JSON
Node fetch / curl returns:
- 403 Forbidden
- X-Vercel-Mitigated: challenge
Bot Protection is inactive
No custom firewall rules originally
Added bypass rule for /api/tessapp-apx, but issue persists
Firewall dashboard shows DDoS Mitigation challenges

This appears to be a false positive from Vercel DDoS mitigation affecting both project traffic and CLI/OIDC requests.

Requesting review/unblock or guidance.

Topic		Replies	Views
Deployment thumbnail shows "Error: Forbidden (403)" — live site works fine Help	75	643	June 8, 2026
Flask + Server Functions - CORS Help python	2	145	March 2, 2025
v0 project modification fails with vercel.com refused to connect error Help v0 , v0-ui	5	140	March 5, 2026
Vercel Firewall false positive challenge on production domain Help	3	51	March 16, 2026
Firewall False positive detection in DDos mitigation Help	1	46	May 5, 2026