We’re experiencing widespread 429 errors with Cloudflare bot challenges on Cart API endpoints (/cart.js, /cart/add.js, /cart/change.js) across many stores.
After a short period of normal browsing, all cart requests start returning “Your connection needs to be verified”, fully breaking add‑to‑cart and checkout. This now affects read endpoints (/cart.js) as well, not just mutations. Storefront API calls continue to work.
Repro patterns:
-
VPN traffic (very common with real customers)
-
Incognito / fresh sessions
-
Local development environments
-
Custom cart logic (delivery dates, etc.)
This is impacting hundreds of stores, especially US traffic, and is actively blocking real customers during peak sales periods.
This appears to be over‑aggressive Cloudflare bot detection or rate limiting applied to Cart API endpoints.
Can you please:
-
Confirm this is a known issue
-
Share whether Cart API / Cloudflare rules changed recently
-
Provide mitigation guidance or recommended request limits
-
Clarify whether Cart endpoints can be exempted from bot challenges
This is currently a storefront‑breaking issue with no reliable workaround.