Add to basket api returns 403 forbidden when user is logged in

the add to basket api works just fine with an anonymous user but immediately the user is logged in, it starts returning 403 forbidden. I have 'oscarapi.middleware.ApiBasketMiddleWare','oscarapi.middleware.HeaderSessionMiddleware', in my middleware