Missing \"Authorization\" header issue

Hello everyone,

Installed Bitnami version of Suite CRM.

Was able to obtain access_toke, but not able to geting any request to API with 401 Unauthorized response and body

“error”: “access_denied”,
“message”: “The resource owner or authorization server denied the request.”,
“hint”: “Missing “Authorization” header”

Content of httd-app.conf

<IfDefine USE_PHP_FPM>
    <Proxy "unix:/opt/bitnami/php/var/run/suitecrm.sock|fcgi://suitecrm-fpm" timeout=300>

<Directory "/opt/bitnami/apps/suitecrm/htdocs">
    Options +MultiViews
    AllowOverride All
    <IfVersion < 2.3 >
        Order allow,deny
        Allow from all
    <IfVersion >= 2.3>
        Require all granted
    <IfModule php7_module>
            php_value upload_max_filesize 60M
php_value post_max_size 60M
php_value memory_limit 256M


    <IfDefine USE_PHP_FPM>
<IfModule pagespeed_module>
    ModPagespeed off

       <FilesMatch \.php$>
         SetHandler "proxy:fcgi://suitecrm-fpm"

    Include "/opt/bitnami/apps/suitecrm/conf/banner.conf"

and .htaccess

RedirectMatch 403 .*\.log$
RedirectMatch 403 /+not_imported_.*\.txt
RedirectMatch 403 /+(soap|cache|xtemplate|data|examples|include|log4php|metadata|modules)/+.*\.(php|tpl)
RedirectMatch 403 /+emailmandelivery\.php
RedirectMatch 403 /+upload
RedirectMatch 403 /+custom/+blowfish
RedirectMatch 403 /+cache/+diagnostic
RedirectMatch 403 /+files\.md5$
<IfModule mod_rewrite.c>
    Options +FollowSymLinks
    RewriteEngine On
    #RewriteBase /suitecrm
    RewriteRule ^cache/jsLanguage/(.._..).js$ index.php?entryPoint=jslang&modulename=app_strings&lang=$1 [L,QSA]
    RewriteRule ^cache/jsLanguage/(\w*)/(.._..).js$ index.php?entryPoint=jslang&modulename=$1&lang=$2 [L,QSA]
    RewriteRule ^api/(.*?)$ lib/API/public/index.php/$1 [L]
    RewriteRule ^api/(.*)$ - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
<FilesMatch "\.(jpg|png|gif|js|css|ico)$">
        <IfModule mod_headers.c>
                Header set ETag ""
                Header set Cache-Control "max-age=2592000"
                Header set Expires "01 Jan 2112 00:00:00 GMT"
<IfModule mod_expires.c>
        ExpiresByType text/css "access plus 1 month"
        ExpiresByType text/javascript "access plus 1 month"
        ExpiresByType application/x-javascript "access plus 1 month"
        ExpiresByType image/gif "access plus 1 month"
        ExpiresByType image/jpg "access plus 1 month"
        ExpiresByType image/png "access plus 1 month"

Normally there is no need to mess with .htaccess when installing SuiteCRM.

I’ve installed SuiteCRM on Ubuntu 16.04 in Azure in about 10 minutes. Not in Bitnami, that makes things more difficult.

I just do

apt install lamp-server^

and then the rest of the normal steps as in https://suitecrm.com/suitecrm/forum/installation-upgrade-help/11561-installing-on-ubuntu-16-04-1#45976

Probably this a solution, but to check it need to start from scratch, maybe someone knows how it could be solved.

Which API are you trying to use, v4 or v8?

And which SuiteCRM version?

Is the rest of the app working well?

There might be something wrong with your API request, not necessarily a .htaccess problem…

I am using API version 8.

I am able to call /api/v8/swagger.json and getting 200 OK with huge json response and also as I sad able to get access_token trough /api/oauth/access_token and Web App also working, so it seems it is working fine.
But when trying to get response from those modules endpoints using token always get “Missing “Authorization” header”


Once you have authenticated with OAuth 2 Server, It will send you the access token in the response with the time out in seconds.

Each time you access the API resources on SuiteCRM, you need to include the access token in the Authorization header like

Authorization: Bearer token-string

Sorry I didn’t mention that I am definitely sending this header along with request.

I am also having this same issue

1 Like

Anyone have anything further info on this? Using v8.

I can confirm i am sending the token via the header (token cut off for ease of reading).

Return from auth:

[token_type] => Bearer
[expires_in] => 3599
[access_token] => eyJ0eXAi...

Request headers:

[0] => Content-type: application/vnd.api+json
[1] => Accept: application/vnd.api+json
[2] => Authorization: Bearer eyJ0eXAi...


error] => access_denied
[message] => The resource owner or authorization server denied the request.
[hint] => Missing "Authorization" header
1 Like

Hello !

Is there any workaround ?

I have the same issue with Version 7.10.9
I can auth but what ever the request I send with the Auth header I still get this answer :

    "error": "access_denied",
    "message": "The resource owner or authorization server denied the request.",
    "hint": "Missing \"Authorization\" header"

I do the request with Postman, here is the php transcript of the request


$curl = curl_init();

curl_setopt_array($curl, array(
  CURLOPT_URL => "http://IP.ADDR.OF.SUITE/api/Leads",
    "Accept: application/vnd.api+json",
    "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImp0aSI6IjQwNmFlZTNlZTU0OTBiOTAxMzViYWE3ZmNkODE3MjIzZTViZTliM2QxYjk5N2QxYzYxMTc5Yzk0NmYxMmQ0ZjlmMDUwZTAxZDIxOWUxOWRhIn0.eyJhdWQiOiI4MTViMDE0Yi0wMTVlLTM4NjYtNmY4Yi01YmJiNGM3MDNlMDkiLCJqdGkiOiI0MDZhZWUzZWU1NDkwYjkwMTM1YmFhN2ZjZDgxNzIyM2U1YmU5YjNkMWI5OTdkMWM2MTE3OWM5NDZmMTJkNGY5ZjA1MGUwMWQyMTllMTlkYSIsImlhdCI6MTUzOTAwMTg1NCwibmJmIjoxNTM5MDAxODU0LCJleHAiOjE1MzkwMDU0NTQsInN1YiI6IiIsInNjb3BlcyI6WyJzdGFuZGFyZDpjcmVhdGUiLCJzdGFuZGFyZDpyZWFkIiwic3RhbmRhcmQ6dXBkYXRlIiwic3RhbmRhcmQ6ZGVsZXRlIiwic3RhbmRhcmQ6cmVsYXRpb25zaGlwOmNyZWF0ZSIsInN0YW5kYXJkOnJlbGF0aW9uc2hpcDpyZWFkIiwic3RhbmRhcmQ6cmVsYXRpb25zaGlwOnVwZGF0ZSIsInN0YW5kYXJkOnJlbGF0aW9uc2hpcDpkZWxldGUiXX0.ADO49Rlj5DuqDclQsXO06ICMnjxALPBVo1RpuO-oAliBC4jP1BPwPZhiq0xAZmjWvPZZS89KV7JDsib1yf4xrN05ZTBIwz8DNT7xinmmbEiovVwdlqcVfXN06Rkt3v25redabDxR7ZSI3eCM7l7hkyuJv4k20IQwcm2hMQbRdV4",
    "Cache-Control: no-cache",
    "Content-Type: application/vnd.api+json",
    "Postman-Token: be56f0f3-1a9a-4771-87bb-49ec2b0aada1"

$response = curl_exec($curl);
$err = curl_error($curl);


if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;

Somebody help please :frowning:

try putting the headers in alphabetical order. i just had an issue trying to make a request and it ended up being the order of the headers. :silly:

[0] => Accept: application/vnd.api+json
[1] => Authorization: Bearer eyJ0eXAi...
[2] => Content-type: application/vnd.api+json
1 Like


I found multiple issues in the configuration of a standard webspace. What you could try:
[li]To make sure the authorization header is also transmitted after rewrite, by editing the following file:


Add the following Rewrite rule to the existing RewriteRules in the file:

RewriteRule ^lib/API/ - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

[li]To avoid the usage of $_SERVER[PHP_SELF], which maybe disabled due to security reasons, modify


Replace the code between preg_match and $_SERVER[‘REQUEST_URI’] with

preg_match("/\/api(\/[^\?]*)(\?|$)/", $_SERVER['REQUEST_URI'], $matches);

$GLOBALS['app_list_strings'] = return_app_list_strings_language($GLOBALS['current_language']);

$_SERVER['REQUEST_URI'] = $_SERVER['SCRIPT_NAME'] . $matches[1];

[li] To make sure the server variable “REDIRECT_HTTP_AUTHORIZATION” is checked, add the following code below the code in the previous step:



1 Like

I’ve created a pull request for this : https://github.com/salesagility/SuiteCRM/pull/7173

1 Like