topic API Authorization header doesn't follow HTTP spec in Spotify for Developers https://community.spotify.com/t5/Spotify-for-Developers/API-Authorization-header-doesn-t-follow-HTTP-spec/m-p/5397381#M4917 <P>Hi,</P><P>&nbsp;</P><P>I've found that the Authorization header doesn't follow the HTTP spec (<A href="https://datatracker.ietf.org/doc/html/rfc7235#section-2.1" target="_blank" rel="noopener">https://datatracker.ietf.org/doc/html/rfc7235#section-2.1</A>). The spec says the scheme can be case insensitve, however Spotify's API expects it to be case-sensitive, that is, it forces it to be "Bearer" and "bearer" is not allowed.</P><P>&nbsp;</P><P>Unfortunately, this break some HTTP client libraries.</P><P>&nbsp;</P><P>This can be easily tried:</P><P>&nbsp;</P><P>curl --request GET&nbsp;'<A href="https://api.spotify.com/v1/tracks/SOME_ID" target="_blank" rel="noopener">https://api.spotify.com/v1/tracks/SOME_ID</A>'&nbsp;--header "Authorization: bearer TOKEN"</P><P>&nbsp;</P><P>which returns</P><P>&nbsp;</P><P>{\n \"error\": {\n \"status\": 400,\n \"message\": \"Only valid bearer authentication supported\"\n }\n}</P><P>&nbsp;</P><P>However, passing "Bearer" instead using the same token works:</P><P><BR />curl --request GET&nbsp;'<A href="https://api.spotify.com/v1/tracks/SOME_ID" target="_blank" rel="noopener">https://api.spotify.com/v1/tracks/SOME_ID</A>'&nbsp;--header "Authorization: Bearer TOKEN"</P><P>&nbsp;</P><P>It would be great if this issue could be fixed.</P><P>&nbsp;</P><P>Thanks!</P> Thu, 23 Jun 2022 21:10:04 GMT aconchillo 2022-06-23T21:10:04Z API Authorization header doesn't follow HTTP spec https://community.spotify.com/t5/Spotify-for-Developers/API-Authorization-header-doesn-t-follow-HTTP-spec/m-p/5397381#M4917 <P>Hi,</P><P>&nbsp;</P><P>I've found that the Authorization header doesn't follow the HTTP spec (<A href="https://datatracker.ietf.org/doc/html/rfc7235#section-2.1" target="_blank" rel="noopener">https://datatracker.ietf.org/doc/html/rfc7235#section-2.1</A>). The spec says the scheme can be case insensitve, however Spotify's API expects it to be case-sensitive, that is, it forces it to be "Bearer" and "bearer" is not allowed.</P><P>&nbsp;</P><P>Unfortunately, this break some HTTP client libraries.</P><P>&nbsp;</P><P>This can be easily tried:</P><P>&nbsp;</P><P>curl --request GET&nbsp;'<A href="https://api.spotify.com/v1/tracks/SOME_ID" target="_blank" rel="noopener">https://api.spotify.com/v1/tracks/SOME_ID</A>'&nbsp;--header "Authorization: bearer TOKEN"</P><P>&nbsp;</P><P>which returns</P><P>&nbsp;</P><P>{\n \"error\": {\n \"status\": 400,\n \"message\": \"Only valid bearer authentication supported\"\n }\n}</P><P>&nbsp;</P><P>However, passing "Bearer" instead using the same token works:</P><P><BR />curl --request GET&nbsp;'<A href="https://api.spotify.com/v1/tracks/SOME_ID" target="_blank" rel="noopener">https://api.spotify.com/v1/tracks/SOME_ID</A>'&nbsp;--header "Authorization: Bearer TOKEN"</P><P>&nbsp;</P><P>It would be great if this issue could be fixed.</P><P>&nbsp;</P><P>Thanks!</P> Thu, 23 Jun 2022 21:10:04 GMT https://community.spotify.com/t5/Spotify-for-Developers/API-Authorization-header-doesn-t-follow-HTTP-spec/m-p/5397381#M4917 aconchillo 2022-06-23T21:10:04Z