Persistent "Permission Denied: Forbidden" on wix-ecom-backend.orders.queryOrders() from Wix Automation HTTP Request

Hello Velo Community,

I’m facing a critical blocking issue with a Wix Automation integration and would appreciate any insights or similar experiences.

My Goal: To automatically push new Wix Store orders to an external shipping system (YDM/YunExpress) using a Wix Automation triggering an HTTP function.

My Setup:

• Wix Automation: Triggered by “Checkout & Orders” → “Order placed”.
• Automation Action: “Send HTTP request” configured for a Custom Payload.
  • Keys: “Checkout ID” and “Order number” (with spaces and capital letters, as shown in the UI).
• Velo Backend:
  • backend/http-functions.js: Receives the HTTP POST request.
  • backend/ordersHelper.web.js: Web module, called by http-functions.js. Contains the processOrderData function.
  • backend/ordersHelper.js: Internal module, contains processOrderDataCore (called by processOrderData in .web.js).
  • All calls ultimately use wix-ecom-backend.orders.queryOrders() to retrieve order details.

The Problem: After extensive troubleshooting and multiple iterations, I am consistently getting a “Permission denied: Forbidden” error when orders.queryOrders() is called, even though the setup seems correct.

What I’ve Done & Confirmed (Key Evidence):

1. Backend Code Correctness:

• Confirmed wix-ecom-backend is correctly imported and used.
• All prior parsing errors (is not a function, no-undef, already declared) are resolved. My code now deploys cleanly.
• The processOrderData function (in ordersHelper.web.js) has the @hasPermission ["Admin"] JSDoc tag correctly implemented. This has been verified multiple times, including “toggle & republish” attempts.
• The core logic for order querying and subsequent shipping system calls is sound.

2. Automation Payload & Data Availability (Proven):

• Initial Problem: The Automation initially sent either an empty payload ({}) or {"data": [{"checkoutId":null,"orderNumber":null}]}.
• Resolution: After much debugging and code adjustments (including implementing robust parsing in http-functions.js to handle various payload structures), I’ve achieved full success in extracting checkoutId AND orderNumber from the incoming HTTP request.
  • Latest Log Proof: My current http-functions.js logs show: Extracted data from HTTP function body (Custom Payload Parsing): {"checkoutId":"[actual_id]","orderNumber":"[actual_number]"}. This means the data is correctly reaching my Velo endpoint and being parsed.
• Email Test Proof: I also confirmed (as suggested by Wix Support) that the dynamic Checkout ID and Order number fields are correctly populated when sent in an “Email Action” from the same Automation trigger. This proves the data is available to the Automation itself.

3. The Persistent Blocker: Despite all of the above, once orders.queryOrders() is invoked (either by orderNumber or falling back to checkoutId), it always returns: "Permission denied: Forbidden".

My Conclusion: Given that:

• My Velo code is syntactically correct and using the recommended APIs.
• Permissions are explicitly set to “Admin” for the relevant function.
• The data is successfully sent by the Automation (as verified by email test) AND correctly parsed by my http-function.
• The error occurs only at the point of interacting with the wix-ecom-backend.orders module due to a permission denial.

This strongly indicates a fundamental platform bug within Wix’s system, specifically how the “Send HTTP request” action in Automations interacts with Velo backend permissions for wix-ecom-backend API calls.

Seeking Community Help: Has anyone else encountered this persistent “Permission denied: Forbidden” issue when calling wix-ecom-backend.orders from a Velo backend function triggered by a Wix Automation HTTP request? Are there any known workarounds or specific nuances to permissions in this exact scenario that I might be missing?