I create a new object called “faq” and give the “Guest” role view permission on that object , but when I call the api ( OOTB API ) to fetch the data I got 403 .
Any Support in this matter ?
Liferay Version : 2026 q1.7-lts
Object Scope : Site Scope .
Target Role : Guest
API called :
curl --location 'http://localhost:8080/o/c/faqs/scopes/Guest' \
--header 'accept: application/json' \
--header 'Cookie: JSESSIONID=5BF1B0F62DB8C7BE75A970261EF58861'
Response :
Hello Ahmad,
From what I can see you have scoped your Object to Site, is that right? In case yes, in your GET URL, it should be the scopeKey of the site, the OOTB site of liferay is L_GUEST, I can see in your URL the Guest, I think this might be your issue.
Hey @Ahmad_Qasem,
Aside from Roselaine’s suggestion about verifying your scope key in the URL /scopes/Guest refers to the site name, not the role, you might want to check the Service Access Policy settings as well.
Liferay has two layers of access control for headless APIs:
Role Permissions: controls what data a role can access (this was configured correctly).
Service Access Policy (SAP) : controls which API endpoints are accessible to unauthenticated/guest requests.
So sometimes even with Guest VIEW permission, the request is blocked at the SAP layer before the permission check ever runs.
You can check this by:
Go to Control Panel → Service Access Policies and ensure the OBJECT_DEFAULT SAP is enabled. This ships with Liferay and should allow unauthenticated GET requests to custom object APIs.
If that doesn’t resolve it, create a custom SAP with:
Service Class: com.liferay.object.rest.internal.resource.v1_0.ObjectEntryResourceImpl
Method Name: getScopeScopeKeyPage
Enabled / Default: Yes
You can check this documentation for reference: Making Unauthenticated Requests – Liferay Learn
still same issue @Roselaine
– Ahmad_QasemThis is odd, try in a browser and see if you get the same result.
– RoselaineMarquesI did , still same issue
– Ahmad_Qasem