API Testing Challenges 31 - How To - forbidden secret note 403

How to complete the unauthorized secret note challenge, which returns a status code of 403 Forbidden.

Issue a GET request on the `/secret/note` end point and receive 403 when `X-AUTH-TOKEN` does not match a valid token

The `X-CHALLENGER` header authenticates you to access a specific set of secret notes, and the `X-AUTH-TOKEN` authorizes you to gain access.

- `GET` request means use the HTTP Verb GET
- e.g. `GET /secret/note` sends to the secret note endpoint
- `X-AUTH-TOKEN` means include a header named `X-AUTH-TOKEN` in the message. The `X-` implies it is a non-standard custom header
- `does not match a valid token` means that the value in the header should be different from the value returned from the `secret/token` endpoint
- add the `X-CHALLENGER` header to track progress and because the authentication code we need is asociated with the `X-challenger` session
- Receive a 403 FORBIDDEN response because the authorization token does not match the token required to access the data

Find the application links and more information at:

Write up of this challenge instructions:

---

Remember to subscribe to this YouTube channel.

Learn more about my books and online training at:

Follow me on: