[solved] What is wrong with my POST REST Call?


Hi all,

I just unable to successfully pass the Authorization key/value pair into the POST call. What is wrong with my code?

HTTP.post(url, {
        params: {
            'Authorization': 'Basic YmFuaG0oLXN0b3JlLWFwaTpnZmh0eWpnaG52ZmhydHlqa3U2NTY3cnRkamdmaGp1eWhpaTdnNnVmNWV0aHZqYms='
    }, function (data) {
        console.log('From callback function: ' + data);

Respond from API:

From callback function: Error: failed [400] {"success":0,"error":["Client credentials were not found in the headers or body"],"data":[]}

It doesn’t get the key/value pair I POST. Please advice, thank you.


Shouldn’t the authorization be in the headers instead of params?

HTTP.post(url, {
        headers: {
            'Authorization': 'auth text'
    }, function (data) {
        console.log('From callback function: ' + data);

PS: It probably isn’t a good idea to post your authorization string.

1 Like

@storyteller, thanks the string is incorrect/edited. I’ve tried headers before post, the console will then complain about the following:

Failed to load https://staging.domain.com/api/rest/oauth2/token/client_credentials: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access. The response had HTTP status code 404.


Ah yes, that is different issue. Are you posting from client or server. This looks like from client.


Ya correct this is from client side.


I would recommend moving it to server in order to get rid of issues around the same origin policy that is enforced by the browser for security purposes.


Ok I’ll try it now. Thanks.


If you’re curious, the problem is the same-origin policy web browser adhere (which is good, from a security point of view). There exists workarounds, the best one being Cross-Origin Resource Sharing, which is what the web browser complains about (you’re not using it).


I tried even with or without the cross origin header, the issue is not there, it’s why authorization is not captured by the API endpoint. The endpoint complain The hash is not there.


For CORS to work, the server needs to support it. It may be that staging.domain.com doesn’t support CORS, in which case you can’t use their API through client side JavaScript.

1 Like

Do you have control of the endpoint? If yes where/how are you checking for the authorization?


I have control over the API. I already enable it to support CORS.

 #Add these lines to your .htaccess file
        Header set Access-Control-Allow-Origin "http://localhost:3000"
        Header set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
        Header set Access-Control-Allow-Headers "X-Oc-Merchant-Language, X-Oc-Store-Id, Content-Type,X-Oc-Merchant-Id, X-Oc-Session"
        Header set Access-Control-Allow-Credentials: true
        RewriteRule .* - [E=HTTP_Authorization:%{HTTP:Authorization}]

I test the following endpoint with POSTMAN Client and it work without problem. That’s why I can be sure the API endpoint is not the problem.

You can test with the following temporary Basic Token:
Basic dGVtcG9yYXJ5OmdmaHR5amdobnZmaHJ0eWprdTY1NjdydGRqZ2ZoanV5aGlpN2c2dWY1ZXRodmpiaw==



I copy the example from Meteor Guide but still get error, why?

HTTP.call('POST', url, {
  headers: { Authorization: 'Basic YmFuaG0oLXN0b3JlLWFwaTpnZmh0eWpnaG52ZmhydHlqa3U2NTY3cnRkamdmaGp1eWhpaTdnNnVmNWV0aHZqYms=' }
}, (error, result) => {
  if (!error) {
OPTIONS https://staging.domain.com/api/rest/oauth2/token/client_credentials 404 (Not Found)
HTTP.call @ http.js?hash=d3dd208935f8ca87ff86948a53498046333fdb3b:231
mainapp.js @ mainapp.js:25
fileEvaluate @ modules-runtime.js?hash=9f9bb5e055614ddf4eb3e743737b7a5b3cfd9d34:353
require @ modules-runtime.js?hash=9f9bb5e055614ddf4eb3e743737b7a5b3cfd9d34:248
(anonymous) @ app.js?hash=8daeffa6cc9de7153955e303df13b6fb7dd0af84:20100
(index):1 Failed to load https://staging.domain.com/api/rest/oauth2/token/client_credentials: Response for preflight has invalid HTTP status code 404.

Server Admin enable OPTIONS in Apache config file and it’s working fine now. Thanks for all the help here.