When you configure the Teya Payments plugin for WooCommerce, Teya sends a registration webhook to your store. This webhook delivers the credentials the plugin needs so your store can communicate securely with Teya in future.
If this webhook is blocked by Cloudflare or another firewall, the setup cannot complete and you may see errors such as:
Registration webhook returned HTTP client error: status=403 FORBIDDEN
This guide helps you fix the most common Cloudflare and firewall causes so you can complete the plugin setup.
When this guide applies
-
You are trying to connect your WooCommerce store to Teya using the official Teya plugin.
-
After signing in to Teya and choosing the store you want to connect, you see an error page that links to this help page.
-
You, your developer, or your hosting provider see a 403 Forbidden or similar error for the webhook URLs:
https://yourdomain.com/wc-api/teya_oauth_callback/https://yourdomain.com/wc-api/teya_payments/
-
Your site uses Cloudflare, another CDN, or a Web Application Firewall (WAF) such as Sucuri, Wordfence, or a hosting‑provider firewall.
You do not need to complete every step below. After each main step, test the registration again.
Step 1: Allow Teya webhook IPs
Goal: Make sure your firewall allows Teya’s webhook requests to reach your WooCommerce store.
Teya’s webhook notifications currently come from these IP addresses:
63.35.101.16663.34.233.4534.252.138.105
- Go to Security → WAF → Tools or IP Access Rules.
- For each IP above, add an Allow rule for HTTPS (port 443).
If you use additional firewalls (for example, at your hosting provider), add the same IPs to their allowlists as well.
This is the most common fix. Test the plugin configuration again after applying these changes. If the issue persists, continue with the steps below.
Step 2: Check that the WooCommerce callback URL is reachable
Goal: Confirm that Teya can access the callback URL without being blocked or challenged.
The registration webhook is sent to:
https://yourdomain.com/wc-api/teya_oauth_callback/
To test this:
-
Open a browser in incognito / private mode.
-
Visit:
https://yourdomain.com/wc-api/teya_oauth_callback/
You should see one of the following:
- A blank page or a minimal WooCommerce‑style response.
- An HTTP 200 or 204 OK with no visible content.
If you see any of these instead, it means the webhook is still being blocked:
- A 403 Forbidden error.
- A Cloudflare challenge page (for example, “Checking your browser before accessing…” or a CAPTCHA).
- A branded firewall or security error page from your host.
In that case, move on to the next steps to adjust Cloudflare or your firewall rules.
Step 3: Check if Cloudflare or your firewall is blocking the webhook
Confirm if Cloudflare or a WAF is in use
-
Ask your developer or hosting provider whether your domain is behind Cloudflare or another WAF/security proxy.
- If you log in at
dash.cloudflare.comto manage DNS or security, you are likely using Cloudflare.
Review Cloudflare Firewall / WAF events
- Go to Security → WAF (Web Application Firewall) or Firewall rules.
-
Look at recent events for requests to:
/wc-api/teya_oauth_callback//wc-api/teya_payments//wc-api/*
-
Check for actions such as Block, Challenge, or JS Challenge on these URLs or on the Teya IPs listed earlier.
These actions indicate that Cloudflare is treating the webhook as suspicious traffic.
Check bot and “Under attack” settings
- If Bot Fight Mode or Super Bot Fight Mode is enabled, it may treat Teya’s webhook as a bot and block it.
- If your site is in Under Attack mode, Cloudflare may show a challenge page before allowing access, which blocks automated webhooks.
You do not need to turn off protection for your whole site. In the next step you will create rules that relax these checks only for the Teya webhook endpoints.
Step 4: Relax security rules for the WooCommerce endpoints
Goal: Allow webhook traffic on the WooCommerce endpoints while keeping protection on the rest of your site.
Even if you allowlist the IPs, Cloudflare or another WAF may still challenge, rate‑limit, or block the requests.
/wc-api/*/wc-api/teya_oauth_callback//wc-api/teya_payments/
Recommended configuration in Cloudflare (or equivalent in your WAF):
- Go to Security → WAF → Rules.
-
Create a rule where URI path contains
/wc-api/(or use an expression such asstarts_with(http.request.uri.path, "/wc-api")). - For this rule, set the action so that Cloudflare:
- Allows or skips WAF checks.
- Skips bot protection (Bot Fight Mode).
- Skips JS challenges.
-
Ensures Rate Limiting is not blocking repeated calls to these endpoints.
This keeps security on the rest of your site, while allowing the plugin’s technical callbacks to work.
Apply similar exceptions in any other WAF or security plugin by relaxing rules for the same paths.
Step 5: Exclude webhook endpoints from caching
Goal: Make sure Cloudflare or your CDN always forwards webhook calls to WooCommerce instead of serving a cached response.
Caching can cause stale or unexpected responses for webhook calls.
- Go to Rules → Page Rules or Cache Rules.
-
Add rules to bypass cache for:
/wc-api/*/wc-api/teya_payments//wc-api/teya_oauth_callback/
- Set these rules to:
- Cache level: Bypass.
-
Edge cache TTL: 0, or disabled for these paths.
This ensures Cloudflare always forwards the request to your WooCommerce site and returns the real response.
Step 6: Check SSL / HTTPS configuration
Goal: Confirm that the connection between Teya and your WooCommerce store is secure and compatible.
The Teya plugin requires a valid HTTPS connection to your WooCommerce store.
- Open your store URL (for example,
https://yourdomain.com) in a modern browser. - Make sure there are no warnings about an expired or invalid certificate.
Check Cloudflare SSL/TLS mode:
- In Cloudflare, open SSL/TLS.
- Set SSL/TLS encryption mode to Full or Full (Strict).
-
Avoid Flexible mode, as it can cause inconsistent behaviour for APIs and webhooks.
Step 7: Retest the plugin configuration
After adjusting your firewall, caching, and SSL settings, test the plugin again.
- Go to WooCommerce → Settings → Payments.
- Find Teya Payments in the list.
- Click Complete setup to run the configuration again.
-
Sign in with your Teya ID and select the correct store, if prompted.
When the configuration succeeds, you should see:
- The plugin marked as enabled.
- A confirmation banner such as “Successfully connected to Teya” in the plugin settings.
If the plugin still does not connect, continue with the checklist and support section below.
Quick checklist of common fixes
Most merchants resolve webhook and Cloudflare issues by:
- Allowing the Teya webhook IP addresses in Cloudflare and any server firewall.
- Disabling or bypassing strict bot protection (for example, Bot Fight Mode, “Under attack” mode) for:
/wc-api/*/wc-api/teya_payments//wc-api/teya_oauth_callback/
- Ensuring WAF rules and Rate Limiting are not blocking or throttling webhook or API calls to those paths.
- Bypassing cache for the same webhook endpoints so that requests always reach WooCommerce.
- Using a valid SSL certificate and Cloudflare SSL mode set to Full or Full (Strict), not Flexible.
- Keeping WooCommerce and the Teya plugin up to date, as outdated plugins can sometimes reject API or webhook calls.
If it still does not work – contact Teya Support
If you have followed all the steps above and still cannot complete the plugin configuration, Teya Support can help investigate further.
Collect useful information before you reach out
Having the details below ready will help us resolve your issue faster:
- Your Teya merchant ID or store ID (from your Teya App or Business Portal, if available).
- Your WooCommerce store URL (for example,
https://yourdomain.com). - Confirmation of whether you use Cloudflare or any other WAF or security plugin (for example, Sucuri, Wordfence, hosting firewall).
- A short description of what happens when you try to complete plugin setup, including any error messages in WooCommerce or Teya.
- Screenshots of:
- The error in WooCommerce or the Teya configuration screen.
- Any relevant events in your Cloudflare or firewall logs showing blocked or challenged requests to:
/wc-api/teya_oauth_callback//wc-api/teya_payments/
- The approximate date, time, and time zone of your last failed attempt, so we can check logs on our side.