Unable to Authenticate Via Query String



I followed procedures and got an api key, but always get 401 in API Explorer when authenticating via Query string (OK for header though).


Any ideas on how to get it working?


You have to authorise your requests using a Bearer token in an Authorisation header. So, if you send this URL it’s not going to work:


Here are some steps you might have missed:

  1. Ensure your application is set up according to these instructions steps, especially:
    – With a callback URL (I think this can be any URL, actually, even if that’s not best practice…)
    – With the scope field set to user
    – With the type set to confidential

  2. Get your API key and shared secret. As detailed on this page, send a blank POST request to https://apikey:sharedsecret@api.transport.nsw.gov.au/auth/oauth/v2/token?grant_type=client_credentials&scope=user, replacing apikey with your key and sharedsecret with your shared secret.

  3. The server’s response to this request will contain your bearer token, e.g.


The access_token is what you need to authenticate. Now, call the API again, but this time send the GET request with an Authorisation header equal to “Bearer removed-1234-5678-9012-000000000000”. You should get the requested data back.


So how do you get the API Explorer to work using Authentication Type API Key?

I got the access_token okay, but there is no place to add a header Authorisation: Bearer access_token to the request.

Also, on some responses I get redirected to the main dashboard and don’t know what happened.

Also, is the access_token permanent or does it have to be recreated per session?


I haven’t been able to get the Explorer to work very well. You can add a Parameter named Authorization with the value Bearer etc and Parameter Type set to Header but I still get 401 errors.

I can usually only get data when sending requests through curl, Python or Postman. And yes, I often get redirected to the dashboard when I load a page or click a button.

Access_token lasts an hour, according to the expiry value (3600 seconds).


With the Authorization Type you need to use Oauth2

Details on how to do this can be found on the User Guide


API explorer only works with OAuth2 (follow Yvonne’s link). API Key alone will not allow access on query string at all, you must create a Bearer token and send the “Authorize: Bearer xxx” header with your request for the data feed.

implementation via PHP with Google’s PHP package is very easy and straight forward. Speed is also quick as PHP is very good at processing binary data that is returned.