Getting a 401 unauthorized on an API which has keyless authentication


I created an API and set the auth mode to ‘keyless’. In the endpoint designer, I have added an endpoint and added the “whitelist” plugin to that endpoint. However, when I curl the endpoint, I get a “401 Unauthorized”.


Hi Suman

Is it working as it should without the whitelist?


I removed the ‘whitelist’ plugin, which removed the path from the end point designer page. I am guessing, since there is no whitelist, it is passing through the request.

However, when i try a curl command, I still get 401 unauthorized.

Is there a problem with the curl, perhaps a missing trailing slash or something like that.

If you share I can try and help, your config or gateway logs also help!


Hi Josh,

What’s the best way to share the config and the logs?

The curl looks fine:

curl -vvv -X GET "" -H "accept: application/vnd.api+json" -H "Accept-Version: v3"
*   Trying
* Connected to ( port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: *
* Server certificate: Amazon
* Server certificate: Amazon Root CA 1
* Server certificate: Starfield Services Root Certificate Authority - G2
> GET /api/users/1 HTTP/1.1
> Host:
> User-Agent: curl/7.43.0
> accept: application/vnd.api+json
> Accept-Version: v3
< HTTP/1.1 401 Unauthorized
< Cache-Control: no-cache
< Cache-Control: no-cache="set-cookie"
< Content-Type: application/vnd.api+json; charset=utf-8
< Date: Thu, 02 Nov 2017 18:00:38 GMT
< Server: nginx
< Set-Cookie: AWSELB=BB4F0F6B10D7B78070A42BEC9B8517789C9DB8D49BCE30E462DA619F0515804B49E8C69AAA19C4975677DF25341E0D66626438498353C768F587DF27035FBE6C7F81E37572;PATH=/;MAX-AGE=43200
< Status: 401 Unauthorized
< Vary: Origin
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-Ratelimit-Limit: 0
< X-Ratelimit-Remaining: 0
< X-Ratelimit-Reset: 0
< X-Request-Id: 8012defe-403c-4eef-89c9-0ca5540ba162
< X-Runtime: 0.003451
< X-Xss-Protection: 1; mode=block
< Content-Length: 0
< Connection: keep-alive
* Connection #0 to host left intact


I just replicated this on a cloud account and if you add a trailing slash i.e.

Then the request works.