I'm trying to send a request to an external API using a custom header named "KEY" for authentication.
When testing the same request using Postman or a standalone Flask script, everything works correctly. However, when sending the request from within Odoo (using Python `requests`), the server always responds with:
`401 - The authorization key is invalid`
It seems like Odoo or the hosting environment is blocking or stripping the "KEY" header from the request.
I’ve tried alternatives like "x-api-key", "X_KEY", and others, but none of them worked.
Is there a known limitation in Odoo regarding custom headers like this? Any advice or workaround would be appreciated.
What's your actual source?
No, I did not encounter an issue like this using requests. There shouldn't be anything blocking from Odoo either. Also, I meant to ask what your source is - how are you calling that API exactly. Because your issue most likely lies in there. The key obviously should not be shared, but all the rest would be helpful to get a picture of what you are actually sending - and how you do that. Also, share the specs of the API and how authentication is supposed to happen as well. Maybe there's just a misunderstanding on that one.
~~ I don't know how I managed to post my question as an answer, hence converted it to a comment and re-created reply for Mohammed ~~
Mohammed (Autor)
Hi Christoph,
Thanks for your reply.
The source is a third-party API that requires a custom header named KEY for authentication. The same request works perfectly when tested via Postman or a Flask script, but fails with a 401 error when triggered from inside Odoo using requests.
I’m trying to figure out whether Odoo or its internal server environment is blocking or stripping the KEY header.
Let me know if you’ve seen this kind of behavior or have suggestions
About your log - sorry for the confusion, I meant the on on the API endpoint which you're trying to authenticate at. But also on your end you can do a verbose debug logging on the request, i.e. https://stackoverflow.com/questions/10588644/how-can-i-see-the-entire-http-request-thats-being-sent-by-my-python-application
Yes, exactly — the issue seems to lie in how Odoo (or possibly Werkzeug behind it) handles or strips custom headers like KEY when making requests using Python’s requests library from within Odoo’s environment. The same request works fine outside (Postman / Flask), but always triggers a 401 Unauthorized when called from inside Odoo.
I’m currently investigating possible middleware or proxy behaviors that could interfere with custom headers. If you’ve encountered similar behavior with requests inside Odoo or have recommendations (e.g., using http.client, overriding headers handling, or adjusting WSGI configurations), I’d truly appreciate your input.
Thanks again for your help!