I think either request should actually pass, since the token actually is valid (so the given error message is wrong) and considering the fact the error message is submitted as JSON anyway.
(Edit: This happens with the current unstable docker image pair.)
But now that you mention it works for you, I’ve tried it with the public demo instance and it works there, too. So this seems to be some random quirk caused by the proxying Apache I’m using in front of the Docker host. Will try to look more into this.
Just one more note (should really go to bed!), because this might be related:
If I query any random non-existing API endpoint, like let’s say /api/v1/randomgarbage I get HTTP 401, too (even on the demo server), while I’d actually expect HTTP 404.
You get the 404 when you access the endpoint with a valid api token. It is unexpected but since the middleware just check every incoming request it makes sense from an engineering perspective (ux is another story here)
Ahh if you’re using the api tokens and not a jwt token you’ll get a 401 for routes which you’re not allowed to access since the tokens are scoped. The way the scoping works is it checks if you’re allowed to use the current route and returns a 401 if it’s not in the list. It does not check if the route exist because that happens after the token middleware.
), because this might be related: