20

We're using Commission Junction's REST service, which requires we sent an API key in the Authorization header.

We set the header like this:

$ch = curl_init();
curl_setopt_array($ch, array(
  // set url, timeouts, encoding headers etc.
  CURLOPT_URL => 'https://....',
  // ...
));

curl_setopt($ch, CURLOPT_HTTPHEADER, array(
  'Authorization: ' . CJ_API_KEY,
  'User-Agent: ' . OUR_USER_AGENT
));

$response = curl_exec($ch);
$info = curl_getinfo($ch);

The problem is that the Authorization header isn't sent (we debugged this by using a local url and doing a var_export($_SERVER) which shows a User-Agent header is set, but not the Authorization header.)

If we change the header name to X-Authorization, it gets sent - but this hasn't helped us as the service specifically requires the Authorization header.

How do we get PHP + cURL to send an arbitrary Authorization header?

Improve this question
1
  • 2
    Why oh why is this not in the $_SERVER variable?! Incredible Commented May 16, 2013 at 13:29

2 Answers 2

Reset to default
30

The Authorization header isn't included in PHP's $_SERVER variable. To properly debug a request you should use apache_request_headers() which shows we were sending the Authorization header exactly as we wanted.

The problem then moved on to figuring out exactly what to put in the Authorization header given some pretty bad documentation.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

How do I close this question as irrelevant now?
You don't need to close it. It was a valid question and you answered it. Someone else may find this information very useful one day.
I just found this useful... some two years lates.
I can send HTTP header these days: curl_setopt($apiCon, CURLOPT_HTTPHEADER, array('Host: api.mixi-platform.com', 'Authorization: OAuth ' . $accessToken));
4

When the header is set by the client, then the Authorization-header from the request is included in $_SERVER — not sure if this is something new, but it is now. HTTP-headers get prefixed in the $_SERVER array with HTTP_ which may be something you previously overlooked.

Also, apache_request_headers() is a function which is only defined when you use Apache as a web server. So everyone with nginx etc. is left out.

Demo

On the server-side:

<?php
// server.php
var_dump($_SERVER['HTTP_AUTHORIZATION']);

Test

Start a webserver (requires PHP 5.4):

$ php -S 0.0.0.0:31337 -t .

Make sure server.php is in the current directory.

Use cURL to test:

$ curl -H 'Authorization: FOO' http://0.0.0.0:31337/server.php
string(3) "FOO"

Works. :)

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.