Problem with API authorization

Stesvis 1,041 Reputation points

Hello I am having some issues with an API call from my mobile app.
The API is developed with ASP.NET MVC 5.

All my API calls work, with a 200 status code.
But there is one DELETE call that always returns 401, of course using the same access_token. If I reuse the same token for a different GET/POST/PUT call everything succeeds.

FYI, this is the response that keeps failing, and I don't understand why:

Object {
  "config": Object {
    "adapter": [Function xhrAdapter],
    "baseURL": "",
    "data": undefined,
    "headers": Object {
      "Accept": "applications/json",
      "Authorization": "Bearer QsX8raQRx7pKJZHrNkeCEl2yUbsq3mwla1_6DwReJpFSfVWn18fzM6cdI9XgCFOxO-wseMHM1pLSsuNGi3_PNXpWvulv0oTaWnKOt6zUuj_mjetiApfNfUX4FSnRrVcHGycJLt8bf4hJX6P1HMVi4DsZsm9ASwbXXQosqAWKIgE_wMpNtGQ8PXpmZL977HBlM9IzpcRw4SBMslbxh00AY-zz75KTbPSbZM198YzDFT5tJyDYuN1bZBWGYk8ivRYx3OgLLrFMNp4HSRkbzzdmQa1cd7dmLRtUv6bnU8c1NX6rxpdtuoMGvKsTp5ZuWisA",
    "maxBodyLength": -1,
    "maxContentLength": -1,
    "method": "delete",
    "params": Object {},
    "timeout": 0,
    "transformRequest": Array [
      [Function transformRequest],
    "transformResponse": Array [
      [Function transformResponse],
    "transitional": Object {
      "clarifyTimeoutError": false,
      "forcedJSONParsing": true,
      "silentJSONParsing": true,
    "url": "Products/4670?target=mobile",
    "validateStatus": [Function validateStatus],
    "xsrfCookieName": "XSRF-TOKEN",
    "xsrfHeaderName": "X-XSRF-TOKEN",
  "data": Object {
    "message": "Authorization has been denied for this request.",
  "duration": 69,
  "headers": Object {
    "cache-control": "no-cache",
    "content-length": "68",
    "content-type": "application/json; charset=utf-8",
    "date": "Tue, 01 Mar 2022 23:25:32 GMT",
    "expires": "-1",
    "pragma": "no-cache",
    "server": "Microsoft-IIS/10.0",
    "www-authenticate": "Bearer",
    "x-aspnet-version": "4.0.30319",
    "x-powered-by": "ASP.NET",
  "ok": false,
  "originalError": [Error: Request failed with status code 401],
  "problem": "CLIENT_ERROR",
  "status": 401,

NOTE: when I use Postman to log in to the /token endpoint, the access_token that I get back is about double in characters length, not sure if it depends by the device I am using to log in (Postman vs mobile app).

Can anyone see what's wrong?

A set of technologies in the .NET Framework for building web applications and XML web services.
3,312 questions
{count} votes

Accepted answer
  1. AgaveJoe 26,166 Reputation points

    You have not told us anything about how the delete works. Perhaps the user/claim/role does not have authorization to delete the resource. Check the code.

0 additional answers

Sort by: Most helpful