Incorrect Authorization Header

My question: I’m trying to configure my Walmart All Order Released api, but I’m getting an incorrect authorization header error. Postman is not liking the header “Authorization” key to have the an Base64 encoded client ID with the word "Basic " in front of the coded client ID. I also assumed that the “WM_SEC.ACCESS_TOKEN” key to have the Base64 encoded value of my client secret.

The encoding was done by an online service: https://www.base64encode.org/ and selecting the UTF-8 character set.

Hi @rdinosogsb

Can you share a screenshot of what you have tried and the console log output (bottom left of the screen)?

Hi! were you able to solve it? I am having the same error and my keys are correct.

You said you encoded the ClientID with the word basic in fornt of it but when reading the docs it suggests that it should be the ClientID and Client Secret that gets base64 encoded.

Example: Basic YzcyOTFjNmItNzI5MC00…

Basic authorization header. Base 64 encodes the Client ID and Client Secret retrieved in step two of the integration steps.

Both the ClientID and the Client Secret are Base64 encoded, and I removed the word “Basic” from the Client ID. I’m thinking the various URLs are incorrect. For the baseURL variable I used https://marketplace.walmartapis.com.

Here’s my error message:

Is {{Authorisation}} your ClientID and {{WM_SEC.ACCESS_TOKEN}} your Client Secret? … before anything gets changed?

Looking at the official docs, these two values are very different from what you are feeding in here…

Also, above the section in your screenshot, there is also a pre-fix, is this still set to “Bearer” … looks like the prefix is “Basic”.


The make-up of the Auth header should be something like this;

const ClientID = 'my-3x4mpl3-cl13n7-1d';
const ClientSec = 'my-3x4mpl3-53cr37';
let base64Auth = btoa(ClientID + ":" + ClientSec);
console.log('Basic ' + base64Auth);

Output;
image

Your header would then look like;
image


Not 100% sure how it currently builds it, but you could check in the console log to see what the base64 value is and then decode it to see if it is the correct format (separated with a : colon).

Here to say that I’m encountering the very same issue.

Trying to generate token according to api documentation:

Sending post request like that (except login and pw are replaced accordingly. Tried to attach collection as a file, but apparently I can’t do that, so pasted below):

{
	"info": {
		"_postman_id": "9f3aabae-3317-4c62-bbd1-fa891aa1b64d",
		"name": "walmart test",
		"schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json",
		"_exporter_id": "22134029"
	},
	"item": [
		{
			"name": "New Request",
			"protocolProfileBehavior": {
				"disabledSystemHeaders": {
					"accept": true
				}
			},
			"request": {
				"auth": {
					"type": "basic",
					"basic": [
						{
							"key": "password",
							"value": "client_secret",
							"type": "string"
						},
						{
							"key": "username",
							"value": "client_id",
							"type": "string"
						}
					]
				},
				"method": "POST",
				"header": [
					{
						"key": "WM_SVC.NAME",
						"value": "Walmart Service Name asda",
						"type": "text"
					},
					{
						"key": "Accept",
						"value": "application/json",
						"type": "text"
					},
					{
						"key": "WM_QOS.CORRELATION_ID",
						"value": "test",
						"type": "text"
					},
					{
						"key": "WM_SVC.VERSION",
						"value": "1.0.0",
						"type": "text"
					}
				],
				"body": {
					"mode": "urlencoded",
					"urlencoded": [
						{
							"key": "grant_type",
							"value": "client_credentials",
							"type": "text"
						}
					]
				},
				"url": {
					"raw": "https://marketplace.walmartapis.com/v3/token",
					"protocol": "https",
					"host": [
						"marketplace",
						"walmartapis",
						"com"
					],
					"path": [
						"v3",
						"token"
					]
				}
			},
			"response": []
		}
	]
}

Getting the following response:

{
    "error": [
        {
            "code": "INVALID_REQUEST_HEADER.GMP_GATEWAY_API",
            "field": "Authorization",
            "description": "Incorrect Authorization header",
            "info": "One or more request headers are invalid.",
            "severity": "ERROR",
            "category": "DATA",
            "causes": [],
            "errorIdentifiers": {}
        }
    ]
}

I’m out of ideas what exactly went wrong and how to solve it. If anyone has any tips - that would be greatly appreciated

I have solved this problem, the clientId and the clientSecret can not use original to request.
You should decode both of them.

like:int cKeyLength = 4;
            String keyMD5 = md5(key);
            String keyA = md5(keyMD5.substring(0, 16));
            String keyB = md5(keyMD5.substring(16, 32));
            String curTime = md5(String.valueOf(System.currentTimeMillis()));
            String keyC = decode ? authString.substring(0, cKeyLength): curTime.substring(curTime.length()-cKeyLength);

            String cryptKey = keyA + md5(keyA + keyC);
            byte[] keyBytes = cryptKey.getBytes("ASCII");
            String hash =  String.format("%010d", 0) + md5(authString + keyB).substring(0, 16)  + authString;
            byte[] dataBytes = decode ? Base64.getDecoder().decode(authString.substring(cKeyLength)) : hash.getBytes("ASCII");
            int[] box = new int[256];
            for (int i = 0; i < 256; i++) {
                box[i] = i;
            }

            int[] rndKey = new int[256];
            for (int i = 0; i <= 255; i++) {
                rndKey[i] = keyBytes[i % keyBytes.length];
            }

            for (int j = 0, i = 0; i < 256; i++) {
                j = (j + box[i] + rndKey[i]) % 256;
                int temp = box[i];
                box[i] = box[j];
                box[j] = temp;
            }

            byte[] result = new byte[dataBytes.length];
            for (int a = 0, j = 0, i = 0; i < dataBytes.length; i++) {
                a = (a + 1) % 256;
                j = (j + box[a]) % 256;
                int temp = box[a];
                box[a] = box[j];
                box[j] = temp;
                result[i] = (byte) ((dataBytes[i]) ^ (box[(box[a] + box[j]) % 256]));
            }

            String decrypted = new String(result, "ASCII");
            if (decode){
                long currentTime = System.currentTimeMillis() / 1000;
                if ((Long.parseLong(decrypted.substring(0, 10)) == 0 || Long.parseLong(decrypted.substring(0, 10)) - currentTime > 0)
                        && decrypted.substring(10, 26).equals(md5(decrypted.substring(26) + keyB).substring(0, 16))) {
                    return decrypted.substring(26);
                } else {
                    return "";
                }
            } else {
                return keyC +   new String(Base64.getEncoder().encode(result), "ASCII").replace("=", "");
            }

the key is the salt,maybe you could find it in your seller information.

and then this is the return the really Authorization:headers.setBasicAuth(clientId, clientSecret);

this is how I solve it