Production responds to bad token with 401, sandbox with 403?

37 views
Skip to first unread message

Jason

unread,
May 30, 2021, 9:22:51 PMMay 30
to ORCID API Users
Hi ORCID Inc,

Have just noticed that sandbox has reverted to again responding with 403 FORBIDDEN to a read request trying a bad access token cf production's 401 UNAUTHORISED.

Is that intended?

Cheers,
Jason.




Pedro Costa

unread,
May 31, 2021, 9:40:28 AMMay 31
to ORCID API Users
Hi Jason,

I'm seeing the sandbox member API respond with 401 to requests with an invalid access token. Could you please try again and share the call you're using?

Here's one of the calls I've tried:

curl -i -H "Accept: application/vnd.orcid+xml" -H 'Authorization: Bearer invalid-access-token' 'https://api.sandbox.orcid.org/v3.0/0000-0002-4315-9391/works'

And here's the response:

HTTP/1.1 401  {"error":"invalid_token","error_description":"Invalid access token: invalid-access-token"}

Note the response will be 403 if the call doesn't include "Bearer" in it e.g. -H 'Authorization: invalid-access-token' as opposed to -H 'Authorization: Bearer invalid-access-token'.

Thanks,

Jason

unread,
May 31, 2021, 5:06:10 PMMay 31
to ORCID API Users
Thanks for the response Pedro, my mistake.  

The 403 was actually our intermediate service (NZ ORCID Hub's ORCID API proxy) giving this response when there was a call for an ORCID iD but the token had been deleted; it didn't pass the request onto sandbox.

Cheers,
Jason.

Reply all
Reply to author
Forward
0 new messages