Best answer

Bearer Token not included in header for test API connection

  • 21 July 2023
  • 6 replies

I am trying to test authentication of an app that uses a bearer Token for auth. When I input this as headers, they are not passed through to the request. See the error below. What am I doing wrong here?



authentication failed: The app returned "You are not permitted to perform this request". What happened (You are seeing this because you are an admin): Stack trace: ResponseError: {"status":403,"headers":{"content-type":"application/json","retry-after":null},"content":"{\"error\":{\"type\":\"request_error\",\"code\":\"forbidden\",\"detail\":\"You are not permitted to perform this request\",\"documentation_url\":\"\"},\"meta\":{\"request_id\":\"34ce0e94-4612-482c-b4fc-5dabf12f21de\"}}","request":{"url":""}} at _throwForStatus (/var/task/node_modules/zapier-platform-core/src/http-middlewares/after/prepare-response.js:13:11) at outResp.throwForStatus (/var/task/node_modules/zapier-platform-core/src/http-middlewares/after/prepare-response.js:68:5) at throwForStatusMiddleware (/var/task/node_modules/zapier-platform-core/src/http-middlewares/after/throw-for-status.js:5:14) at Object.<anonymous> (/var/task/node_modules/zapier-platform-core/src/middleware.js:80:37) From previous event: at /var/task/node_modules/zapier-platform-core/src/middleware.js:77:26 at Array.reduce (<anonymous>) at afterMiddleware (/var/task/node_modules/zapier-platform-core/src/middleware.js:76:21) at Object.<anonymous> (/var/task/node_modules/zapier-platform-core/src/middleware.js:94:18) From previous event: at Object.<anonymous> (/var/task/node_modules/zapier-platform-core/src/middleware.js:92:10) From previous event: at /var/task/node_modules/zapier-platform-core/src/middleware.js:89:45 at /var/task/node_modules/zapier-platform-core/src/tools/create-lambda-handler.js:212:18 at bound (node:domain:433:15) at runBound (node:domain:444:12) at process.processImmediate (node:internal/timers:476:21) at process.topLevelDomainCallback (node:domain:161:15) at process.callbackTrampoline (node:internal/async_hooks:128:24) From previous event: at Domain.<anonymous> (/var/task/node_modules/zapier-platform-core/src/tools/create-lambda-handler.js:196:10) at (node:domain:389:15) at Runtime.handler (/var/task/node_modules/zapier-platform-core/src/tools/create-lambda-handler.js:192:19) at Runtime.handleOnceNonStreaming (file:///var/runtime/index.mjs:1083:29)


Best answer by Prestonsteele 25 July 2023, 20:23

View original

This post has been closed for comments. Please create a new post if you need help or have a question about this topic.

6 replies

Userlevel 3
Badge +6

Hi @Prestonsteele , 

So sorry to hear about this error, and thank you for sharing those super helpful details. 

Your screenshot certainly shows the headers formatted as I’d expect as well. 

My apologies if I’m missing this in the stack trace, but where are you seeing that the token is not being included in the headers? Are those requests appearing in Monitoring?

I ask because 403s can sometimes be related to specific account permissions or restrictions on endpoints. That said, I had some trouble finding documentation on that endpoint.

I was unable to access this, personally, but I see a link included in the response. Are you able to view this?

Hi, I am accessing the API with same bearer token for the same resource in Postman and it returns perfectly. As you can see in the error code the header is as follows. This error occurs when I get to the test API section and attempt to use my auth token for logging in.


The header does not have the Authorization:  Bearer xxxxxxxxxxxxxx header that should be there.

Screenshot of working call in Postman:



Userlevel 3
Badge +6

Hi @Prestonsteele ,

Thanks for sharing those screenshots!

That is indeed interesting that the request works in Postman but not Zapier. 

This might not be a factor, but one thing I noticed:

  • In the Zapier screenshot, the endpoint is /event-types while in the Postman screenshot it appears to be /events

Otherwise, I’m curious if {"content-type":"application/json","retry-after":null} might be the headers of the response. For example, Zapier sends user-agent: Zapier in every request, which I also don’t see reflected there. 

After testing, have you tried clicking over to the HTTP tab and refreshing (you may need to wait a few seconds and/or try refreshing a few times for the logs to appear)? That tab should give a clearer picture of the request to confirm what is and isn’t making it into the headers:


Alternatively, logs are also surfaced in the Monitoring page, which should also show the full request, including headers (although the token would be censored for security).


Unfortunately I can’t get to that screen because it fails on the authentication screen before actually getting to testing.


Disregard, I figured out the problem. I was hitting the improper API URL. Thank you for your help.