Skip to content

Authentication headers are case sensitive #2722

Open
Open
Authentication headers are case sensitive#2722
@mefellows

Description

@mefellows
mefellows
opened on Nov 14, 2025

Context

According to RFC 7235, the authentication scheme is case-insensitive.

Current Behavior

Some clients downcase the scheme (e.g. authorization: bearer xyz) which results in Prism rejecting the request and triggering the 401 response.

The current implementation expects exact matches for all schemes.

Expected Behavior

Prism should downcase the schema

The following are all equivalent:

Authorization: Bearer xyz
Authorization: bearer xyz
authorization: bearer xyz
AutHORizAtIon: BeaRer xyz

Possible Workaround/Solution

n/a

Steps to Reproduce

Start a mock with the following OAD:

openapi: 3.1.1
info:
  title: Scheme Repro
security:
  - bearerAuth: []
paths:
  /:
    get:
      summary: Authenticate
      operationId: authenticate
      security:
        - bearerAuth: []
      responses:
        '200':
          description: Authenticated user information retrieved successfully
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/User'
        '401':
          $ref: '#/components/responses/Unauthorized'
components:
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      description: Bearer token authentication
  responses:
    Unauthorized:
      description: Unauthorized
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/UnauthorizedError'
  schemas:
    User:
      description: A user
      type: object
      properties:
        id:
          type: integer
    UnauthorizedError:
      description: An error
      type: object
      properties:
        type:
          type: string
        title:
          type: string
        status:
          type: integer
          format: int64
        detail:
          type: string

Run the following curl commands to see the different behaviour

curl http://localhost:4010/ -H"Authorization: bearer 1234"
{"type":"string","title":"string","status":-9007199254740991,"detail":"string"} # 401

curl http://localhost:4010/ -H"Authorization: Bearer 1234"
{"id":-9007199254740991} # 200

Environment

  • Version used: 5.14.2

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions