Single Model serving / Authorino Error 401 - Unauthorized

Solution Unverified - Updated -

Issue

After deploying a model server with Authorino token configured with the Bearer token inside the payload, you can face a HTTP 401 - unauthorized error

Example of request :

curl -H "content-type:application/json" \
    -H "Authorization: Bearer MY_TOKEN" \
-v https://{MODEL_ENDPOINT}/v1/chat/completions \
-d '{"model":"granite-2b","messages":[{"role":"system","content":"You are an assistant that speaks like Yoda."},{"role":"user","content":"Write a poem about fruits"}],"max_tokens":4000,"stream":false}'

Example of output :

* Host MODEL_ENDPOINT:443 was resolved.
* IPv6: (none)
* IPv4: xx.xx.xx.xx
*   Trying xx.xx.xx.xx:443...
* schannel: disabled automatic use of client certificate
* Connected to {MODEL_ENDPOINT} (xx.xx.xx.xx) port 443
* using HTTP/1.x
> POST /v1/chat/completions HTTP/1.1
> Host: MODEL_ENDPOINT
> User-Agent: curl/8.11.0
> Accept: */*
> content-type:application/json
> Authorization: Bearer TOKEN
> Content-Length: 195
>
* upload completely sent off: 195 bytes
< HTTP/1.1 401 Unauthorized
< content-length: 0
< date: Wed, 02 Apr 2025 11:59:56 GMT
< server: istio-envoy
< www-authenticate: Bearer realm="kubernetes-user"
< x-envoy-upstream-service-time: 31
< x-ext-auth-reason: not authenticated
<
* Connection #0 to host MODEL_ENDPOINT left intact

Environment

  • Red Hat OpenShift AI Self-Managed

    • 2.18

  • Red Hat Authorino

    • 1.1.2

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content