Skip to main content

Jul 25, 2021 - 2 minute read - API Testing API Challenges Evil Tester

Challenge 32 - How To - Unauthorized 401

This post and video shows how to complete the unauthorized secret note challenge, which returns a status code of 401 Unauthorized.

What are the API Challenges?

Our API Challenges Application has a fully functional cloud hosted API, and a set of challenges to work through.

Authorization Challenge

Most of the challenges simply require the correct payload, and an X-Challenger header to track the session. The authentication challenges require an extra header, the value for which can only be obtained with a username and password. This value is obtained when completing challenge 30.

The X-CHALLENGER header authenticates you to access a specific set of secret notes, and the X-AUTH-TOKEN authorizes you to gain access.

  • Authentication is “are you who you say you are” (X-CHALLENGER)
  • Authorization is “do you have the right permissions” (X-AUTH-TOKEN)

Challenge 32 Unauthorized

Issue a GET request on the /secret/note end point and receive 401 when no X-AUTH-TOKEN header present

  • GET request means use the HTTP Verb GET
    • e.g. GET /secret/note sends to the secret note endpoint
  • no X-AUTH-TOKEN header present means no custom header named X-AUTH-TOKEN should be added to the message
  • add the X-CHALLENGER header to track progress
  • Receive a 401 UNAUTHORIZED response because no authorization token is present

Basic Instructions

  • Create a new request for the /secret/note end point
    • if running locally that endpoint would be
      • http://localhost:4567/secret/note
    • if running in the cloud that endpoint would be
      • https://apichallenges.herokuapp.com/secret/note
  • The verb should be a GET
  • Ensure there is no custom header with the name X-AUTH-TOKEN
  • The request should have an X-CHALLENGER header to track challenge completion
  • You should receive a 401 response - meaning you are not authorized
> GET /secret/note HTTP/1.1
> Host: apichallenges.herokuapp.com
> User-Agent: insomnia/2021.2.2
> X-CHALLENGER: x-challenger-guid
> Accept: */*

< HTTP/1.1 401 Unauthorized
< Connection: close
< Date: Sun, 25 Jul 2021 10:42:36 GMT
< Content-Type: application/json
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Headers: *
< X-Challenger: 1x-challenger-guid
< Server: Jetty(9.4.z-SNAPSHOT)
< Via: 1.1 vegur

Overview Video

Watch on YouTube

Patreon ad free version

Learn More and Start Testing


You will need a Github account to comment. Or you can contact me with your comment.

I reserve the right to delete spam comments e.g. if your comment adds no value and its purpose is simply to create a backlink to another site offering training, or courses, etc.