Thanks. Yes, looking at the log file gave me the answer
tail -n20 -f /var/log/hestia/*.log
2023/06/15 11:37:01 [error] 3320#0: *113 FastCGI sent in stderr: "PHP message: PHP Warning: Undefined variable $hst_return in /usr/local/hestia/web/api/index.php on line 43" while reading response header from upstream, client: 127.0.0.1, server: _, request: "POST /api/ HTTP/1.1", upstream: "fastcgi://unix:/run/hestia-php.sock:", host: "wbs.xxx/.nl:9183"
So I added that in, and now it works Seeing as the servers IPv4 is already added, would it not make sense to also add 127.0.0.1 to the whitelist as well? (or maybe show the requesting IP address in the error message, so you know which one is trying to connect)
For anyone else trying to find the option - its in Settings > Configure > Security > System > Allowed IP addresses for API