Announcements

Help Wizard

Step 1

NEXT STEP

FAQs

Please see below the most popular frequently asked questions.

Loading article...

Loading faqs...

VIEW ALL

Ongoing Issues

Please see below the current ongoing issues which are under investigation.

Loading issue...

Loading ongoing issues...

VIEW ALL

API Authorization header doesn't follow HTTP spec

API Authorization header doesn't follow HTTP spec

Hi,

 

I've found that the Authorization header doesn't follow the HTTP spec (https://datatracker.ietf.org/doc/html/rfc7235#section-2.1). The spec says the scheme can be case insensitve, however Spotify's API expects it to be case-sensitive, that is, it forces it to be "Bearer" and "bearer" is not allowed.

 

Unfortunately, this break some HTTP client libraries.

 

This can be easily tried:

 

curl --request GET 'https://api.spotify.com/v1/tracks/SOME_ID' --header "Authorization: bearer TOKEN"

 

which returns

 

{\n \"error\": {\n \"status\": 400,\n \"message\": \"Only valid bearer authentication supported\"\n }\n}

 

However, passing "Bearer" instead using the same token works:


curl --request GET 'https://api.spotify.com/v1/tracks/SOME_ID' --header "Authorization: Bearer TOKEN"

 

It would be great if this issue could be fixed.

 

Thanks!

Reply
0 Replies

Suggested posts