Skip to content

Fix critical auth: send access-token header instead of Authorization: Bearer #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pimfeltkamp merged 1 commit into from
Apr 28, 2026
Merged

Fix critical auth: send access-token header instead of Authorization: Bearer #7

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,15 @@

All notable changes to the `cryptohopper` crate are documented in this file.

## 0.1.0-alpha.1 — Unreleased
## 0.1.0-alpha.2 — Unreleased

### Fixed
- **Critical: every authenticated request was rejected by the API gateway.** The transport sent `Authorization: Bearer <token>`, which the AWS API Gateway in front of `api.cryptohopper.com/v1/*` rejects (`405 Missing Authentication Token`). Cryptohopper's Public API v1 uses `access-token: <token>` — confirmed by the official [API documentation](https://www.cryptohopper.com/api-documentation/how-the-api-works) and the legacy iOS/Android SDKs. Switching to send `access-token`. The `Authorization` header is no longer set.

### Compatibility
No public-API change. Resource methods keep their signatures.

## 0.1.0-alpha.1 — 2026-04-24

Initial release. Full coverage of all 18 public API domains from day one.

Expand Down
2 changes: 1 addition & 1 deletion Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[package]
name = "cryptohopper"
version = "0.1.0-alpha.1"
version = "0.1.0-alpha.2"
edition = "2021"
rust-version = "1.76"
authors = ["Cryptohopper <info@cryptohopper.com>"]
Expand Down
5 changes: 4 additions & 1 deletion src/client.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -274,8 +274,11 @@ impl Transport {
builder = builder.query(q);
}

// Cryptohopper Public API v1 uses `access-token: <token>`, not the
// OAuth2-conventional `Authorization: Bearer <token>`. The gateway
// in front of the API rejects Bearer with a SigV4 parse error.
builder = builder
.header(header::AUTHORIZATION, format!("Bearer {}", self.api_key))
.header("access-token", self.api_key.as_str())
.header(header::ACCEPT, "application/json")
.header(header::USER_AGENT, &self.user_agent);

Expand Down
4 changes: 2 additions & 2 deletions tests/client_tests.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,11 @@ fn build(server: &MockServer) -> Client {
}

#[tokio::test]
async fn sends_bearer_user_agent_and_unwraps_data() {
async fn sends_access_token_user_agent_and_unwraps_data() {
let server = MockServer::start().await;
Mock::given(method("GET"))
.and(path("/user/get"))
.and(header("Authorization", "Bearer ch_test"))
.and(header("access-token", "ch_test"))
.and(header("Accept", "application/json"))
.and(header_exists("User-Agent"))
.respond_with(ResponseTemplate::new(200).set_body_json(json!({"data": {"hello": "world"}})))
Expand Down