Why is Swagger UI not sending the Authorization header in Laravel API Platform requests?

It looks like the issue isn’t with your Laravel setup per se but rather with how the Swagger UI (provided by api-platforms/laravel) handles adding the Authorization header when using apiToken authentication. Third-party requests work because you’re manually including the header, whereas the UI isn’t automatically attaching the token after login.

Below are a couple of points and potential solutions:

1. Swagger UI Behavior:
   The Swagger UI “Authorize” button only auto-adds the header when you explicitly enter your token into its “Authorize” modal. If the authentication flow you’re using (based on apiToken) isn’t configured to automatically pass the API token into the UI’s apiKey settings, then subsequent “Try it out” calls won’t include the header.

2. Authentication Type:
   Unlike setups using Passport with the CreateFreshApiToken middleware (which uses cookies to include an encrypted JWT automatically), the apiToken approach expects you to attach the token via a header. The configuration you posted tells Swagger to look for an apiKey in the header (with the name “Authorization”), but it doesn’t automatically know what value to use after a standard “login”—you must supply it.

3. Recommended Fixes:

   • Manually Trigger Authorization in Swagger:
     Click on the “Authorize” button in the Swagger UI and enter your token. This will ensure that the header is added to all subsequent requests made from the UI.
   • Customize Swagger Configuration (if needed):
     If your desired flow is to have the token automatically set after login, you may need to adjust the Swagger UI configuration in your api-platform config or customize the JavaScript that Swagger UI uses. This customization would programmatically set the token value as soon as authentication occurs.

4. Double Check the Configuration:
   Verify that your api-platforms/laravel configuration for swagger_ui is not overridden elsewhere and that the apiKey settings are correctly pointing to the request header. Your fragment shows:

   PHPCopied
   'swagger_ui' => [
       'enabled' => true,
       'apiKeys' => [
           'api' => [
               'type' => 'apiKey',
               'name' => 'Authorization',
               'in' => 'header'
           ]
       ],
   ],

   This means that Swagger expects an “Authorization” header. If you need a “Bearer” prefix, ensure that when you enter your API token in the UI (or via your custom logic) it’s prefixed with “Bearer ” if required by your API middleware.

In summary, the absence of the Authorization header in requests made via the platform is because the UI isn’t automatically injecting your token unless you use its “Authorize” feature (or a customized setup). Adjusting how you supply the token to Swagger will resolve the 401 errors you’re encountering.