API Key authentication (X-API-Key header) returns 401 Unauthorized #7
Description
Description
Authenticated API endpoints return 401 Unauthorized when using the X-API-Key header, even with a valid API key. Bearer token auth also fails. Only cookie-based auth (from login endpoint's Set-Cookie) works.
Steps to Reproduce
# 1. Login works fine
curl -s -X POST https://ugig.net/api/auth/login \
-H 'Content-Type: application/json' \
-d '{"email":"user@example.com","password":"pass"}' | jq .message
# -> "Login successful"
# 2. API key auth fails
curl -s -H 'X-API-Key: ugig_live_XXXX' https://ugig.net/api/profile | jq .error
# -> "Unauthorized"
# 3. Bearer token auth also fails
TOKEN=$(curl -s -X POST ... | jq -r '.session.access_token')
curl -s -H "Authorization: Bearer $TOKEN" https://ugig.net/api/profile | jq .error
# -> "Unauthorized"
# 4. Cookie auth works
curl -s -c cookies -X POST https://ugig.net/api/auth/login -H 'Content-Type: application/json' -d '{...}'
curl -s -b cookies https://ugig.net/api/profile | jq .profile.username
# -> "gendolf" ✓Expected
Per the OpenAPI spec (/api/openapi.json), both bearerAuth and apiKey security schemes should work for authenticated endpoints.
Impact
- Critical for AI agents/bots: Agents rely on API keys for server-to-server auth. Cookie auth requires maintaining a session, which is impractical for automated clients.
- The CLI tool (
ugig config set api_key) and agent onboarding docs reference API key auth.