Meraki

Community

API GetOrganizations - 403 IP restriction - makes Meraki API unusable?

rhbirkelund
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

API GetOrganizations - 403 IP restriction - makes Meraki API unusable?

I see that there has already been a few post on this here and here

 

Just recently, I have also been granted RO access to an Organization with an API Source IP restriction. 

When trying to get organizations IDs for specific orgs (not including this), I'm getting random 403s just by the query alone. 

 

Exception has occurred: APIError
organizations, getOrganizations - 403 Forbidden, {'errors': ['Your client IP address [ip address] is not within an approved subnet for organization [org name and id]']}

...

meraki.exceptions.APIError: organizations, getOrganizations - 403 Forbidden, {'errors': ['Your client IP address [ip address] is not within an approved subnet for organization [org name and id]']}

 

I can guarantee that I am not changing IP addresses, which makes it even more odd as to why it works sometimes, and others don't. 

 

I fully understand that there may be requirements to limit on Source IP, who may use the API towards ones organization. What I do not understand, is why must this restriction affect ALL my organizations?! 

 

Why send a 403, and thus make the Endpoint fail, rather sending a 200 that everything is OK, but in the management details field state that there is an IP restriction? This is already the case for Orgs that have Dashboard IP, unlicensed or anything else. 

 

I would even go as far as to argue that having a 403 returned on an API Source IP restriction makes the Meraki IP completely unreliable and in some cases unusable. Not I will have to manually determine the Org ID, rather then simply iterating through the orgs for the ones I am to work on. No automation at all, available. 

 

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
8 Replies 8
sungod
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

Imo it's a bug, it's clearly illogical for an 'all orgs discovery' endpoint to behave in this way.

 

If Meraki choose to extend the IP restriction to this call, the only logical behaviour would be to exclude any org(s) that had an IP restriction excluding the caller IP, not break the call for other orgs.

 

As more customers add IP restriction, the problem will get worse.

 

It looks like others have already tried support and got nowhere, but I would still open a case to raise the issue again.

 

Perhaps also raise it with your Meraki account team.

Mloraditch
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

Hey look my old post about this! We created a dedicated API user and key for the clients we manage to work around this.

It was causing all sorts of problems with our tools because most of our nightly/weekly routines run get orgs as the first step.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
PhilipDAth
Kind of a big deal
Kind of a big deal
a week ago
a week ago

Hint hint @Oren .

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
a week ago
a week ago

I wonder if the same restriction applies when using OAuth to authenticate.  Other limits (such as API calls per second) don't apply to OAUTH authenticated connections.

 

This is an example script using OAUTH that you could play with to see whether it is equally affected (or not).

https://github.com/obrigg/meraki-oauth

 

0 Kudos
In response to PhilipDAth
Oren
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
a week ago
a week ago

OAuth is not limited by IP restrictions, as it’s explicitly approved (reference). But OAuth tokens are org-scoped to begin with so there’s no reason to use getOrganizations with OAuth.

 

What’s being described here does not sound like an expected behavior. Was a support case created?

In response to Oren
rhbirkelund
Kind of a big deal
Kind of a big deal
a week ago
a week ago

I haven't tried with OAuth - still kind of struggling on how to incorporate it. 

 

I haven't opened a case, because from what I read on the other posts by Mloraditch and ricardocwc, it seemed to be like yelling into the forest. 

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
In response to rhbirkelund
Oren
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
a week ago
a week ago

Please open a case and share the case number. If this is reproducible, I’ll keep an eye on it and make sure it’s addressed.

In response to Oren
rhbirkelund
Kind of a big deal
Kind of a big deal
a week ago
a week ago

As requested, I've opened a Support Case, and sent you the Case no. 🙂

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2026 Cisco Systems, Inc.