Unauthorized Error (UNAUTHORIZED)

The request failed authentication. The gateway could not verify the identity of the caller.

Common causes

No authorization header - The request does not include an authorization header. Most authentication policies require this header to be present.
Invalid authorization header - The header value is malformed or uses an incorrect format. For bearer tokens, the expected format is Authorization: Bearer <token>.
Expired or revoked credentials - The token or API key has expired, been revoked, or is otherwise no longer valid.
Wrong authentication scheme - The request uses a different authentication method than the one configured on the route (for example, sending a bearer token when the route expects an API key).

How to test authentication

Verify the token or API key is valid and has not expired.
Confirm the authorization header format matches the expected scheme.
Test with a known-good credential to rule out token-specific issues.
Check the authentication policy configuration in the route designer to ensure it matches the expected authentication method.

API key authentication in Zuplo uses the Authorization: Bearer <api-key> header format by default. See API Key Authentication for configuration details.

Common mistakes

Including extra whitespace or newline characters in the token value.
Sending the token as a query parameter instead of a header.
Using the wrong API key for the target environment (for example, a development key against production).
Forgetting to add an authentication policy to the route.

Edit this page

Last modified on March 23, 2026

Unauthorized Error (UNAUTHORIZED)

The request failed authentication. The gateway could not verify the identity of the caller.

Common causes

No authorization header - The request does not include an authorization header. Most authentication policies require this header to be present.
Invalid authorization header - The header value is malformed or uses an incorrect format. For bearer tokens, the expected format is Authorization: Bearer <token>.
Expired or revoked credentials - The token or API key has expired, been revoked, or is otherwise no longer valid.
Wrong authentication scheme - The request uses a different authentication method than the one configured on the route (for example, sending a bearer token when the route expects an API key).

How to test authentication

Verify the token or API key is valid and has not expired.
Confirm the authorization header format matches the expected scheme.
Test with a known-good credential to rule out token-specific issues.
Check the authentication policy configuration in the route designer to ensure it matches the expected authentication method.

API key authentication in Zuplo uses the Authorization: Bearer <api-key> header format by default. See API Key Authentication for configuration details.

Common mistakes

Including extra whitespace or newline characters in the token value.
Sending the token as a query parameter instead of a header.
Using the wrong API key for the target environment (for example, a development key against production).
Forgetting to add an authentication policy to the route.

Edit this page

Last modified on March 23, 2026

Common causes

How to test authentication

Common mistakes

Related resources

Common causes

How to test authentication

Common mistakes

Related resources