Authorization Header Stripped at Apache-PHP Layer

Problem Summary

The Authorization header was being stripped at the Apache to PHP layer on the server. Although the browser and JavaScript were sending the Bearer token correctly, it never reached WordPress.

As a result, the following code was always returning empty inside verify_token():

$request->get_header('authorization')

This caused all authenticated API requests to fail, even when the client was sending valid credentials.

Root Cause

By default, Apache does not pass the Authorization header through to PHP in certain configurations. This is a common issue when using PHP as a FastCGI process or with certain Apache modules that filter headers before they reach the application layer.

Fix Applied

The solution involved three steps:

Updated the Apache vhost configuration to explicitly pass the Authorization header through to PHP

Enabled the required Apache module for header handling

Reloaded Apache to apply the changes

Updated on: 11/01/2026