Announcements

API Authorization header doesn't follow HTTP spec

API Authorization header doesn't follow HTTP spec

Hi,

 

I've found that the Authorization header doesn't follow the HTTP spec (https://datatracker.ietf.org/doc/html/rfc7235#section-2.1). The spec says the scheme can be case insensitve, however Spotify's API expects it to be case-sensitive, that is, it forces it to be "Bearer" and "bearer" is not allowed.

 

Unfortunately, this break some HTTP client libraries.

 

This can be easily tried:

 

curl --request GET 'https://api.spotify.com/v1/tracks/SOME_ID' --header "Authorization: bearer TOKEN"

 

which returns

 

{\n \"error\": {\n \"status\": 400,\n \"message\": \"Only valid bearer authentication supported\"\n }\n}

 

However, passing "Bearer" instead using the same token works:


curl --request GET 'https://api.spotify.com/v1/tracks/SOME_ID' --header "Authorization: Bearer TOKEN"

 

It would be great if this issue could be fixed.

 

Thanks!

Reply
0 Replies

Suggested posts