We Keep Coding

REST API Design: Should I use a custom header or Authorization for some sensible information?

this is my first question on StackOverflow. 😀
I'm currently creating a Discord Bot with a Dashboard and a private API for my service.
The flow I'm trying to create is the following
User logs in with Discord OAuth2 and gets his access_token
-> Client stores his access_token
-> When doing an action on the Dashboard and commit it, make an API call and pass his access_token
-> My API then check if he has the permission to commit it
(by doing a request to Discord's API with his access_token)
-> Realise the action if allowed
Because the user needs to send his access_token, I need to know how I'm supposed to recieve and use it safely, and following the best practices.
Those are the two way I found :
Use a custom HTTP Header like Discord-Access-Token: <access_token> and then process-it easly
to use Authorization: Baerer <access_token> (even tho this is not
an Authorization but something I need to check if the user is allowed
to use the API). + This is not really following the flow in FastAPI...
Does someone knows what is the best thing to use? Thanks in advance!

even tho this is not an Authorization but something I need to check if
the user is allowed to use the API
So Authorization in simple terms...
Think of your service as something that covers everything you do even doing stuff with tokens on Discord.
I would use the Authorization header, because it is standard, unless you have another token, because you cannot send multiple ones in a single request except if you package them together. If you have a different header, then the request can be modified or cached by proxies. https://stackoverflow.com/a/43164958/607033
As far as I understand Basic and Bearer are not the only types of Authorization, you can have a custom type too. If Bearer does not cover the term you need, then write something like DiscordOAuth2.

The Authorization header name is a misnomer, in the same category as the misspelling as 'Referrer'. The purpose of the Authorization header is actually authentication.
Also not that it's Bearer not Baerer.

How to consume the RSA Archer REST API to fetch Report?

Unable to retrieve ANY data when I try to fetch simple content from Archer via REST API calls through Postman or Mule.
1. Is URL below correct? What am I missing?
2. How to get Reports via Archer REST API i.e what API resource to use.
Have seen the Archer REST documentation but do not find it clear enough.
Have tried GET & POST, with Authorization configured, through Postman:
https://hostname/platformapi/core/security/login https://hostname/platformapi/core/content/123
https://hostname/RsaArcher/platformapi/core/content/123
I get 'Unauthorized: Access is denied due to invalid credentials.' error although I am told to have access.
Please suggest proper API call/path to be used and if any specific settings is to be made to retrieve data?
Archer version: 6.5
Note: Through POSTMAN and Mule, I have successfully consumed REST API from other secured applications. Struggling with Archer.
Thank you.

The documentation for Archer REST API was mentioned in a previous answer and seems to require a login into their site: https://stackoverflow.com/a/38511131/721855
This KB article shows examples on how to use the API from Powershell: https://community.rsa.com/docs/DOC-45643. It should be easy to adapt to Postman, Mule or whatever other language/tools.

I recently had the same issue. The company had anonymous authentication disabled on the api directory. The user account running postman must have access to the api directory. If you are still getting a 401, see if you anonymous access can be enabled to rule out other non-access related issues. If you are able to generate a security token when calling core/security/login when anonymous authentication is enabled, then you know the issue is that your account did not have access to the api directory. If you are not able to make the request successfully with anonymous authentication enabled, then you know the issue is likely with the way you've structured your REST call. Hope this helps!

Authentication to any Archer API is two step process. First you have to call an authentication resource or method. That will return a session token. You must then add that token to the request headers for subsequent requests. Your header would look something like this:
Authorization: Archer session-id=439C730FF83F68EFDC017ED705D9908E
Without this header, you'll get a 401 for any request other than an authentication request.

Using OAuth with Facebook as provider with an IBM Cloud Functions managed API

I am playing around with IBM Cloud Functions (OpenWhisk) and trying to setup authentication through OAuth with Facebook as the provider. I have setup an app with Facebook, I am able to successfully connect with this and fetch my token and I am able to verify this by fetching basic profile information (name and userID).
My problems starts when I enable OAuth in the IBM Cloud Functions API. I get a HTTP code 500 back from the call with very little information about what actually went wrong.
{"code":500, "message":"Oops. Something went wrong. Check your URI and try again."}
The only thing that is stated in the dashboard is:
You can control access to your API through the OAuth 2.0 standard. First require an end user to log in via IBM Cloud App ID, Facebook, GitHub, or Google. Then include the corresponding OAuth token in the Authorization header of each API request. The authenticity of the token will be validated with the specified token provider. If the token is invalid, the request will be rejected and response code 401 will be returned.
With this information I got that I need pass the token with the Authorization header. My best guess is that the call fails somewhere when the token is being validated.
I am using Vue and Vue-axios to perform the API call. My current call looks like this:
this.$http.get(API_URL+"?user_id="+localStorage.user_id,{headers :{'authorization':localStorage.token}}).then((response) => {
console.log(response);
});
I have tried adding bearer/Bearer or token/Token in front of the token (some posts I read indicated that you should do this), but this had no impact on the response.
If I disable the OAuth authentication from the Cloud Functions side, the code above works and correctly retrieves the data (with or without the header option).
From the Chrome Dev tools it looks to me like the token is added correctly to the request, since the request headers have the Authorization header with the token.
I am not that familiar with OAuth or IBM Cloud Functions, so the problem might have a very easy fix. However, I am unable to find documentation which clearly shows me how I am supposed set this up. I am also unable to find any logs or more information about what actually fails here. Am I missing something obvious here?
Kjetil

Fiware get access token seems to get wrong

We are having troubles with getting the access token from fiware since 4th August.
We are using this URL to ask for the token: https://orion.lab.fiware.org/token but it seems like it does not work.
Before using that URL we used to ask for this one:
http://cloud.lab.fi-ware.org:4730/v2.0/tokens
Could anyone, please, help us?
Thank you in advance.

It depends on how you want to get the token. The current OAuth2 URL to get the tokens is https://account.lab.fiware.org/oauth2/token. This is the central authority for authentication, if you are accessing any common GE, but you will need to register your application in FIWARE Account and use your application credentials and some OAuth2 grant to get it.
If you want to get the token for the global instance without using a registered application, the URL you have mentioned contains a token service that can give you a valid token for your user and that purpose. You can test it (and see an example) with the following script:
https://raw.githubusercontent.com/fgalan/oauth2-example-orion-client/master/token_script.sh

"Developer Inactive" on Beats Music server-side auth token request

I'm working on a project and a new Beats Music API library for Clojure, but in my testing I'm finding it difficult to get write access authentication, but read-only user authentication works fine.
In testing my library I set up a HTML page to do the OAuth and get the OAuth code and then feed that code in to my library to fetch the actual authentication token. The first part works flawlessly, the second part has the dreaded "Developer Inactive" error:
URL: /oauth/token
PARAMS: client_secret, client_id, redirect_uri, code, grant_type=authorization_code
METHOD: post (application/x-www-form-urlencoded)
I've double checked my redirect_uri is the same as defined in my app settings and is the url of the HTML page I generated the code with. I even checked with the support folks to double check that my application wasn't throttled or something, but that took too long and I made a second application and had the exact same results. I've looked at other support questions like this and nothing has helped, so unless I'm missing something in my auth request, my only other thought was that my user account is still on it's 14-day trail and maybe that is affecting my auth token in some way?
Any ideas or suggestions would be greatly appreciated.

From https://developer.beatsmusic.com/docs/read/getting_started/Client_Side_Applications
"The scope of an access token using the implicit flow is limited to read only since client side applications cannot keep a secret. You'll need to request the authorization grant flow via the Web Server Authentication for write permissions, such as updating a playlist."
I hope this helps.

As #jsd pointed out in a comment on my question, there was a typo in the url endpoint. The correct endpoint is (which I had in the other function and that's why it was working correctly):
/oauth2/token