# 401 Unauthorized: Authorization header missing 'Bearer' prefix - **ID:** `api/oauth2-authorization-header-missing-bearer` - **Domain:** api - **Category:** auth_error - **Verification:** ai_generated - **Fix Rate:** 90% ## Root Cause Client sent a token in the Authorization header without the required 'Bearer ' scheme prefix, causing the server to reject the request. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | OAuth 2.0 (RFC 6750) | active | — | — | | OpenID Connect 1.0 | active | — | — | | Spring Security 6.0+ | active | — | — | | ASP.NET Core 7+ | active | — | — | ## Workarounds 1. **Ensure the Authorization header value starts with 'Bearer ' followed by the token. Example in curl: curl -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...' https://api.example.com/resource** (90% success) ``` Ensure the Authorization header value starts with 'Bearer ' followed by the token. Example in curl: curl -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...' https://api.example.com/resource ``` 2. **If using a client library, check the configuration to ensure it automatically adds the 'Bearer' prefix. For example, in requests library: headers={'Authorization': f'Bearer {token}'}** (85% success) ``` If using a client library, check the configuration to ensure it automatically adds the 'Bearer' prefix. For example, in requests library: headers={'Authorization': f'Bearer {token}'} ``` 3. **Log the raw Authorization header value on the client side to verify the prefix is present before sending.** (95% success) ``` Log the raw Authorization header value on the client side to verify the prefix is present before sending. ``` ## Dead Ends - **** — The token itself is already base64-encoded and does not require additional encoding; URL encoding may corrupt the token. (30% fail) - **** — The server strictly checks for the exact 'Bearer ' string; missing it still results in a 401. (50% fail) - **** — Most modern OAuth 2.0 servers only recognize 'Bearer'; using 'Token' leads to rejection. (70% fail)