I was recently looking into using our Mantis Bug Tracker instance to automatically generate product road-maps - now that we are actually starting to properly plan product updates and as keeping them up to date manually isn't really working.

I spent a fair amount of fruitless time sending requests to Mantis via Postman only for every single request to fail with 401 API Token required - despite the fact I'd created a limited access user and generated an API token associated with that.

An error I swiftly got tired of seeing...
An error I swiftly got tired of seeing...

In the end after looking at the Mantis source files, I resorted to editing AuthMiddleware.php directly on the server to start spitting out output as a crude way of attempting to identify the issue. This showed that the Authorization header just wasn't present - any other header I sent was there, just that one in particular was missing.

The documentation for apache_request_headers doesn't mention anything about authorisation, nor does getallheaders. $_SERVER on the other hand mentions that new values may be created based on the contents of the Authorization header but it too doesn't state anything about the header being removed.

Fortunately, I found an answer in a user comment for the HTTP authentication with PHP documentation topic which is to alter your .htaccess file to include the following line

SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0

I made this change to the .htaccess file located in the Mantis REST API client folders (I didn't do it at the root level), and now the API is working. Baby steps...

Please note however that I'm not a PHP developer, and when it comes to hosting, I'm an IIS guy and have very little familiarity with Apache. So while this tweak works for me, I can't state for certain it is the correct approach or if it should have been handled another way. Nor do I know what the cause is - seems odd that if this was official PHP behaviour that it isn't documented anywhere that I could find. If you know of a better way please let me know!

Content! Glorious glorious content!
Content! Glorious glorious content!

Update History

  • 2017-07-06 - First published
  • 2020-11-22 - Updated formatting

Like what you're reading? Perhaps you like to buy us a coffee?

Donate via Buy Me a Coffee

Donate via PayPal


# Pawan

You Saved me! Thanks a lot.


# David Rose

4 hours I'll not get back trying to get the API to work. 30 secs after reading the above it's all working :) Many thanks


# Michael

Works like a charm :D


# PM

Works great, thank you !


# dregad

This problem was reported here https://mantisbt.org/bugs/view.php?id=26365 and I only recently took notice.

I believe that a more appropriate fix would be to add CGIPassAuth On to the .htaccess file instead of the SetEnvIf directive you suggested, and the Issue's reporter just confirmed that it does address the issue.

This will be fixed in the next release of MantisBT (2.25.8).


# Richard Moss


Thanks for taking the time to comment, and for addressing this in MantisBT! itself.

I just tested this myself, unfortunately I wasn't successful - first I commented out the line I added all those years ago and verified that it went back to the 401 behaviour. Next I added the new line you recommended - unfortunately this appears to be causing a crash somewhere as I get a 500 error response instead. I was using a GUI tool that doesn't provide any more context so I'll need to dig further to see if there is to any clue as to why. Current version I'm using 2.25.6, but off the top of my head I don't recall the PHP version.

Regards; Richard Moss


# Richard Moss


To follow up from my original comment, as noted this doesn't work with whatever configuration issues.cyotek.com uses, the log files show

[core:alert] <path>/api/rest/.htaccess: Invalid command 'CGIPassAuth', perhaps misspelled or defined by a module not included in the server configuration

So I guess there is something missing in the hosting config that doesn't allow this particular setting, still haven't a real clue on Apache or nginx. However, it does suggest that it may not be one-size-fits-all fix for any other affected users, possibly unlike the SetEnvIf directive.

Not sure if you'll get these replies, I think I have an account on Mantis as I logged some other issues with the REST API a few years ago so I will try and comment there.

Richard Moss