Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Office for the web passes the WOPI access token both as a URL parameter (called access_token) and in the Authorization header. This applies to all WOPI requests that originate from Office for the web.
This is done primarily for compatibility reasons. Some host rely on the Authorization header because they are using an OAuth stack for creating and managing WOPI access tokens. Because WOPI does not define a way for a host to indicate that they are using OAuth, Office for the web passes the access token both ways for maximum compatibility.
Tip
As a best practice, WOPI hosts should use the access token value from the URL parameter. This is the preferred way to pass access tokens, and not all WOPI clients will pass it in the Authorization header.