Set Authorization header using PHP and curl

Question

We're using Commission Junction's REST service, which requires we sent an API key in the Authorization header.

We set the header like this:

$ch = curl_init();
curl_setopt_array($ch, array(
  // set url, timeouts, encoding headers etc.
  CURLOPT_URL => 'https://....',
  // ...
));

curl_setopt($ch, CURLOPT_HTTPHEADER, array(
  'Authorization: ' . CJ_API_KEY,
  'User-Agent: ' . OUR_USER_AGENT
));

$response = curl_exec($ch);
$info = curl_getinfo($ch);

The problem is that the Authorization header isn't sent (we debugged this by using a local url and doing a var_export($_SERVER) which shows a User-Agent header is set, but not the Authorization header.)

If we change the header name to X-Authorization, it gets sent - but this hasn't helped us as the service specifically requires the Authorization header.

How do we get PHP + cURL to send an arbitrary Authorization header?

Why oh why is this not in the $_SERVER variable?! Incredible — Peter Kelly, May 16 '13 at 13:29

score 30 · Accepted Answer · answered Aug 20 '09 at 09:51

30

The Authorization header isn't included in PHP's $_SERVER variable. To properly debug a request you should use apache_request_headers() which shows we were sending the Authorization header exactly as we wanted.

The problem then moved on to figuring out exactly what to put in the Authorization header given some pretty bad documentation.

answered Aug 20 '09 at 09:51

searlea

8,173
4
34
37

How do I close this question as irrelevant now? – searlea Aug 20 '09 at 09:53
6

You don't need to close it. It was a valid question and you answered it. Someone else may find this information very useful one day. – Darrel Miller Aug 20 '09 at 13:08
16

I just found this useful... some two years lates. – gargantuan May 19 '11 at 10:26
1

I can send HTTP header these days: curl_setopt($apiCon, CURLOPT_HTTPHEADER, array('Host: api.mixi-platform.com', 'Authorization: OAuth ' . $accessToken)); – emeraldhieu Dec 08 '11 at 15:41

score 4 · Answer 2 · answered Jan 17 '13 at 17:12

When the header is set by the client, then the Authorization-header from the request is included in $_SERVER — not sure if this is something new, but it is now. HTTP-headers get prefixed in the $_SERVER array with HTTP_ which may be something you previously overlooked.

Also, apache_request_headers() is a function which is only defined when you use Apache as a web server. So everyone with nginx etc. is left out.

Demo

On the server-side:

<?php
// server.php
var_dump($_SERVER['HTTP_AUTHORIZATION']);

Test

Start a webserver (requires PHP 5.4):

$ php -S 0.0.0.0:31337 -t .

Make sure server.php is in the current directory.

Use cURL to test:

$ curl -H 'Authorization: FOO' http://0.0.0.0:31337/server.php
string(3) "FOO"

Works. :)

Set Authorization header using PHP and curl

2 Answers2

Demo

Test

Linked