HPOO HTTP Client POST Authorization is Returning Error 400 Invalid Header

Hi all,

I have been working on integrating our office's password safe with HPOO to do credential lookups for audit flows etc using REST API.
I can perform the REST queries perfectly in Postman (REST client) without any issues, however when I attempt to use the HTTP Client POST operations within OO I run into an issue.

I am using Pleasent Password Server. I've also attached as many screenshots as I can to help troubleshoot the issue.

Step 1. First, I must authenticate to the password safe server using x-www-form-urlencoded form to pass my credentials to the server via POST, in return I receive a Bearer access token. This works fine using OO,I pull the value of "access_token" and assign to ${accessToken}. The next step is when I run into issues.


Step 2. I send a request to the server with the body "{Search : "server01.example.com"}", and a HTTP header "Authorization:<access_token>".
This returns all the information I require in Postman however I cannot get it working within OO...


According to the RFC, the correct syntax to pass a Bearer token via the Authorization head is "Authorization: Bearer ${accessToken}", however if I add this into the headers field in OO, I receive an "Error 400 - Invalid Header" error. I think this explicit header is clashing with the "authType" field, however authType will not accept Bearer as an option.

In the headers field I have tried so many different combinations, and I have confirmed that Authorization header is causing the issues, if I remove Authorization I get an access denied message.
I've tried:

  • Authorization: Bearer ${accessToken}
  • Authorization : ${accessToken}
  • Authorization:${accessToken}
  • Authorization:"${accessToken}"
  • so on...

I have also changed authType from 'any' to 'Basic' and this does not change anything, I've been trying to figure this out all day and it's driving me nuts. I'm thinking I have some kind of syntax error somewhere in the Authorization header but I can't figure it out.

Does anyone know where I'm going wrong? Or if anyone has ever had this issue before?

Thanks for any help in advance!


  • As far as I know the header should not be with Enter as I see it in your constant variable in studio.

    Put ; in between the Authorization and Content-Type.

    As for the Authorization itself you should put the Bearer example: <Authorization: Bearer ${valuehere}>

    Hope it helps,

  • I'm also experiencing the same issue when trying to specify the Authorization header. I know the header is well formed as it works from other HTTP/REST clients.
    I am also in control of the endpoint I am trying to POST to so have enabled extended logging on the API which does show the request is trying to use Basic authentication and not Bearer,

    So i guess that as Bearer is not an available authType within the HTTP Client POST operation, it is falling back to the default of Basic and resulting in the HTTP 400 (Bad Request - Invalid Header) response

    For now I've been able to workaround this by using the PowerShell Script operation and using the Invoke-RestMethod cmdlet but it would be good to have the HTTP Client operations support the use of Bearer tokens.

  • Hi,

     Instead of using the HTTP client post operation use the regular HTTP Client operation from the V2 folder. This is to separate the authorization header from the content type and remove any and all formating complications from that scenario. The HTTP Client operation has a separate input for content type.  

    In my opinion the auth type should be basic and in the headers  try one of the following:



    You could also try (now that you have split the content-type from the header to use Authorization:${accessToken}

    If all else fails if the password safe has a UI in which you can perform the same action as you are trying to perform from the API inspect the headers from the browser API call and use them in OO.

    Hope this Helps,




  • hi are you trying to call cyberark rest api? i am hitting same issue this is what was done to make it work.


  • Verified Answer

    I've been involved in other scenario with Bearer authentication.

    Finally been able to work by using

    - autyType -> digest

    - headers -> Authorization: Bearer ${accessToken}



  • Great reply! Switching to digest stopped the POST flow from automatically inserting "Basic" regardless of whether the option was set or deleted.