How to stop dreamfactory to interpret Authorization Bearer header in case of remote web service GET request?


I need to create a remote web service in DSP which makes a GET call to actual web service with Authorization Bearer header.

In short, I need to access a remote web service:
with header
Authorization: ‘Bearer R35…gP’

And I need a dsp service for the above call as shown below:
with header
Authorization: ‘Bearer R35…gP’

With a fresh local bitnami install of 2.3.1 release, I tried GET request BUT the GET request with Authorization header is not working on 2.3.1.

My curl request:
curl -i -k -3 -X GET “” -H “X-DreamFactory-Api-Key: 475…fbd2” -H “Content-Type: application/json” -H “Authorization: Bearer R35…gP”

This should do:

BUT the output is:

HTTP/1.1 400 Bad Request
Date: Sun, 23 Oct 2016 05:02:27 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Vary: Cookie
X-Powered-By: PHP/7.0.11
Cache-Control: no-cache
Content-Length: 89
Connection: close
Content-Type: application/json

{“error”:{“context”:null,“message”:“Invalid token: Wrong number of segments”,“code”:401, “trace”:[…]}}

Any clues ? I have gone through this post, but my error is different - might be a different issue.

Relevant screenshot:

Connecting to Web Service Rest API that need to sign in and cookie authentication
How to create a DSP service which make a remote web service POST call with parameters?
Beginner - how to make a remote web service call?

When I directly invoke the external web service using Postman
with below headers:

Content-Type: application/json
Authorization: Bearer cXzEQm0DcPfyerlM

I was able to get the correct response from above endpoint.

BUT in postman when I tried same with my DSP instance:

Content-Type: application/json
X-DreamFactory-Api-Key: 47...d2
Authorization: Bearer cXzEQm0DcPfyerlM

I get the same error in response from DSP instance:

      "error": {
        "context": null,
        "message": "Invalid token: Wrong number of segments",
        "code": 401,
        "trace": [..]

It seems that the dreamfactory instance is somehow interpreting Authorization Bearer header and expecting it to be in below format
Authorization: Bearer abc.def.ghi
as per jwt token standard.

But the external service I’m using expects this authorization header in non-jwt format, becoz it is NOT a jwt token actually.

Any suggestions or solution on how can I stop my dreamfactory instance to interpret the Authorization Bearer Headers ??



Same problem here – Did you find a solution?


Nope! not yet. However I’m now using dreamfactory 2.4.1-2. But still no success. May be someone should throw light on it, as it seems to be a pretty common usage of dreamfactory platform. Which version are you using?


The issue is that Authorization header is also used to authenticate yourself to DreamFactory… Dreamfactory checks the header when you send it to see if you are authorized, and it sees the Authentication header that you want passed through. In our case this was throwing an error then, because the pass through Auth Bearer header is not JWT format, and so DreamFactory throws an error instead of ignoring it.

One way is to use a different header field “AuthorizationPassThru” for your pass thru token, and in AuthCheck.php – AFTER user is authorized to DreamFactory, rewrite the Authorization header to your AuthorizationPassThru value if present.


as I mentioned here: Authorization header pass from client

I am experiencing the same issue too.


No updates here? :frowning: