Authorization via custom X-API-Key header doesn't work

Hello! I need help with authorization via custom header. Our API uses X-API-Key custom header as described here: API Keys for passing API key as authorization token. It works as expected in https://app.swaggerhub.com/ but in Katalon doesn’t. I’ve imported OpenAPI spec into Katalon, added custom X-API-Key header with needed API key but every time I made a request I got 401 response code. What am I doing wrong?

1 Like

Hi alexfeel,

Can you share us more details about your WS Request(some screenshots), response message?

Thanks.

Hi duyluong,

I’ve sent you PM with some info you can use to check how it works via SwaggerHub. When I try to do the same in Katalon I get this:

@duyluong do you have any thoughts about that?

Hi alexfeel,
I got your private message yesterday but the API token has been revoked. I got 401 on every request.

Hi @duyluong, I’m positive that’s Katalon problem, I’m sure that all is working fine on our end but as you see at the screenshot it doesn’t work in Katalon. Maybe do I use it in a wrong way?

Can anybody help with this problem or confirm this is Katalon bug?

@devalex88 or @Zarashima tell me please how to confirm or to disprove this behavior is bug? I can share API key for testing if needed.

Sorry for the issue. We’ll check again and see if sent requests contains desired headers. You can also use Fiddler to capture and investigate these requests.

I’ve tried Fiddler and seen headers were present :confused:

Will removing the trailing ? help?

Katalon doesn’t allow to remove it - every time I click the button it is added again…

Hi @alexfeel,
Because you sent GET request successfully via command line but Katalon, I guess it’s proxy problem. Please check and config Proxy settings for Katalon first. If you still get Unauthorized issue, send us your API Key for further investigation.

Hi @Loan_Tran,
I wasn’t using a proxy

I used proxy only when I was investigating headers via Fiddler. I thought that maybe there is some kind of proxy server through which I access the network, but curl works without problems on the same computer. I’ll send you PM with API key and link to docs about API in a few minutes.

Hi @alexfeel,
Please use ‘x-api-key’ instead of ‘X-API-KEY’ then you can send the request successfully

2 Likes

@Loan_Tran thank you a lot! It works! So is that a kind of bug? And do I have to use lowercase letters in all custom (X-) headers?

Hi @alexfeel,
Nope, it’s not a bug. You gotta use the correct supported key. It might help to find one via suggestion feature. This list shows frequently used keys for short only.


About the reason why you used ‘X-API-Key’ and the request was sent successfully by curl, I guess that curl automatically convert the key to lowercase.

4 Likes

That’s awesome @Loan_Tran.

@alexfeel for your information:

https://tools.ietf.org/html/rfc7230#section-3.2

3.2. Header Fields

Each header field consists of a case-insensitive field name followed by a colon (":"), optional leading whitespace, the field value, and optional trailing whitespace.

I think the web app in this case has failed to comply with the standards.

1 Like

@Loan_Tran, @devalex88, thank you very much!