Why do people design web apis where the way you submit your authorization is via a custom header?

Especially when the authorization is literally a token?

Am I ingesting something special?

Incompetence

A header is available can be used for every http method

@retoor The Authorization header is specifically meant for this purpose. And usually doesn't require tooling trickery to provide.

I'm probably one of the incompetent people then.
The problem with that header is that you need to provide an authentication schema.
https://developer.mozilla.org/en-US...

I don't know how to create a custom one and don't have an authentication step in a pre shared key server to server application specific comms setup.

A custom header is designed to share application specific information. It's not trickery to do today and in fact super simple.
Now if one would design both authentication and authorisation not using the HTTP framework (401 response etc) and implement their own version of OAuth that would be incompetent.

some middle manager on their side saying "NOOOOOOOOOOOOOO we can't use the authorization header here for $BullshitReasonNumber420"

I did that once. Goal was to have a separate token/session for anonymous users and preserve the shopping cart when user logged on. Having different carts for each tab ruled the cookie approach unfit.

I have that exact thing with an API of a system we're reselling.

Incompetence... Maybe. Mostly people not aware of why Authorization exists as a header.

What problem does Authorization solve?

Well.... Proxies. Caching APIs. Middleware in general.

Anything that needs to be aware that something "important" as authorization is happening.

You don't want to cache an authorization request. That's a bad idea. Pending security desaster incoming.

Now what most people completely misunderstand: While the RFC for Authorization lists type and there are known types registered like anything else in the IANA.... Nothing prevents you from setting the Authorization type in the Authorization header to e.g.

PoopooPeepee

The goal was always to make sure that there is an extensibility and that it can be filled with custom values. What was just needed was to have a common ground, the header name.

So set a custom type in the Authorization header and be done with it. This ensures compatibility, which is a must have if you want to have a usable web application for e.g. large company networks. Cause they most likely have hardware based proxies and other stuff which will make your life miserable if you add an X-PoopooPeepee header and expecting things to work...

Another thing many people forget - and which is sth I'm really tired of pointing out - http headers are ASCII, have a length limit and if there is an RFC, for fucks sake read it.

It might spare you a lot of wasted money and lost money, cause standards exist for a reason.

https://rfc-editor.org/rfc/rfc9110/...

https://rfc-editor.org/rfc/...

@IntrusionCM Amen