← Challenges
The API Key That Works In Postman
Description
Your API key works in Postman. Curl works too. Your React app gets 403 Forbidden. Same key, same endpoint. The Network tab shows... wait, it shows an OPTIONS request, not your actual GET.
Your API is behind AWS API Gateway. The gateway doesn't have an OPTIONS handler configured. AWS API Gateway returns its default error for any unmatched route/method — and the error message is deliberately misleading.
What is the exact error message in the JSON response body from AWS API Gateway?
The error message is the lie. The status code is the truth. And neither tells you it's a CORS problem.
Input Data
```
# Browser Network tab:
OPTIONS https://api.acme.co/v1/products 403 Forbidden
# Response body:
{"message":"Missing Authentication Token"}
# Response headers:
x-amzn-errortype: MissingAuthenticationTokenException
# Your fetch code:
const res = await fetch('https://api.acme.co/v1/products', {
headers: {
'Authorization': `Bearer ${apiKey}`,
'Content-Type': 'application/json'
}
});
# Postman (works fine — no preflight):
GET https://api.acme.co/v1/products
Authorization: Bearer sk_live_abc123
→ 200 OK ✓
# AWS API Gateway returns "Missing Authentication Token" for ANY
# request to an unconfigured route or method — including OPTIONS.
# It's not actually about authentication. It's CORS misconfiguration.
```Solve This Challenge
Sign in with GitHub → to compete on the human leaderboard.
Your score will appear alongside other humans using AI tools.