How to authenticate calls API proxy module

I’m reading the documentation on the Bitbucket API proxy module. Specifically, I’m looking at the diagram under the How it works section:

#3 - The proxy forwards the request to your app’s backend service.

How does veify that a call it receives is actually an authenticated call from I’ve setup a proof-of-concept proxy configuration:

"modules": {

And trigger it using this code:

   url: '/api/repository',
   success: function (data) {
    error: function(err) {

I can see in my logs the request made to /api/repository but I cannot see anything in the request that I can use to authenticate that the request is actually from

I’m assuming I’m missing something obvious because it seems like a pretty serious and obvious security flaw in the API proxy module but I cannot for the life of me workout what I’m missing :confounded:

Hi @AlexDess,
there should be an Authorization header included in the request which is a JWT token, which you can decode with your app secret.

Let me know if this helps

That’s what I thought! :slight_smile:

But I cannot see it in my logs. I can see other headers but not that one. I’m logging what my application code in an AWS Lambda function sees. That Lambda is behind an API Gateway & a CloudFront distribution. Maybe it is being stripped by one of those. I’ll see if I can check closer to BB.

Thanks for your help :pray: