Fix critical auth: send access-token header instead of Authorization: Bearer

CHANGELOG.md

@@ -4,6 +4,14 @@ All notable changes to `cryptohopper/sdk` are documented here. The format follow
 [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) and the project
 adheres to [Semantic Versioning](https://semver.org/).
 
+## [0.1.0-alpha.2] - Unreleased
+
+### Fixed
+- **Critical: every authenticated request was rejected by the API gateway.** The transport sent `Authorization: Bearer <token>`, which the AWS API Gateway in front of `api.cryptohopper.com/v1/*` rejects (`405 Missing Authentication Token`). Cryptohopper's Public API v1 uses `access-token: <token>` — confirmed by the official [API documentation](https://www.cryptohopper.com/api-documentation/how-the-api-works) and the legacy iOS/Android SDKs. Switching to send `access-token`. The `Authorization` header is no longer set.
+
+### Compatibility
+No public-API change. `$client->user->get()`, `$client->hoppers->list()`, etc. keep their signatures.
+
 ## [0.1.0-alpha.1] - 2026-04-24
 
 Initial alpha release. Full coverage of the 18 public API domains from day one.

src/Transport.php

@@ -156,9 +156,12 @@ private function buildUrl(string $path, ?array $query): string
     private function buildHeaders(bool $hasBody): array
     {
         $headers = [
-            'Authorization' => "Bearer {$this->apiKey}",
-            'Accept'        => 'application/json',
-            'User-Agent'    => $this->buildUserAgent(),
+            // Cryptohopper Public API v1 uses `access-token: <token>`, not the
+            // OAuth2-conventional `Authorization: Bearer <token>`. The gateway
+            // in front of the API rejects Bearer with a SigV4 parse error.
+            'access-token' => $this->apiKey,
+            'Accept'       => 'application/json',
+            'User-Agent'   => $this->buildUserAgent(),
         ];
         if ($this->appKey !== null && $this->appKey !== '') {
             $headers['x-api-app-key'] = $this->appKey;

src/Version.php

@@ -6,7 +6,7 @@
 
 final class Version
 {
-    public const VERSION = '0.1.0-alpha.1';
+    public const VERSION = '0.1.0-alpha.2';
 
     private function __construct()
     {

tests/ClientTest.php

@@ -17,14 +17,15 @@ public function testRejectsEmptyApiKey(): void
         new Client(apiKey: '');
     }
 
-    public function testSendsBearerTokenAndUserAgent(): void
+    public function testSendsAccessTokenAndUserAgent(): void
     {
         $backend = new MockBackend([new Response(200, [], '{"data":{"id":1}}')]);
 
         $backend->client->user->get();
 
         $req = $backend->last();
-        self::assertSame('Bearer test-token', $req->getHeaderLine('Authorization'));
+        self::assertSame('test-token', $req->getHeaderLine('access-token'));
+        self::assertSame('', $req->getHeaderLine('Authorization'), 'Authorization header must NOT be set on v1 API calls');
         self::assertStringStartsWith('cryptohopper-sdk-php/' . Version::VERSION, $req->getHeaderLine('User-Agent'));
         self::assertSame('application/json', $req->getHeaderLine('Accept'));
         self::assertSame('', $req->getHeaderLine('x-api-app-key'));