401 Unauthorized when trying to send e-Mail over API


I made a custom e-mail template and now I want to send a mail over the API for an invoice using this template.

I’m using the following curl command:

curl -v -X POST $API_URL’emails’
-H ‘X-Api-Token:’$API_TOKEN
-H ‘Content-Type: application/json’
-H ‘X-Requested-With: XMLHttpRequest’
-d ‘{“entity”: “invoice”, "entity_id: “LYqaQAManj”, “template”: “email_template_custom2”}’

The (masked) output of curl then is:

Note: Unnecessary use of -X or --request, POST is already inferred.

  • Trying 192.168..:80…
  • Connected to 192.168.. (192.168..) port 80 (#0)

POST /api/v1/emails HTTP/1.1
Host: 192.168..
User-Agent: curl/7.74.0
Accept: /
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 85

  • upload completely sent off: 85 out of 85 bytes
  • Mark bundle as not supporting multiuse
    < HTTP/1.1 401 Unauthorized
    < Date: Wed, 08 Mar 2023 10:48:19 GMT
    < Server: Apache/2.4.54 (Debian)
    < Cache-Control: no-cache, private
    < X-RateLimit-Limit: 300
    < X-RateLimit-Remaining: 296
    < Access-Control-Allow-Origin: *
    < Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
    < Access-Control-Allow-Headers: X-API-PASSWORD-BASE64,X-API-COMPANY-KEY,X-API-SECRET,X-API-TOKEN,X-API-PASSWORD,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Disposition,Range,X-CSRF-TOKEN,X-XSRF-TOKEN,X-LIVEWIRE
    < Access-Control-Expose-Headers: X-APP-VERSION,X-MINIMUM-CLIENT-VERSION,Content-Disposition
    < X-APP-VERSION: 5.5.83
    < Transfer-Encoding: chunked
    < Content-Type: application/json
  • Connection #0 to host 192.168.. left intact
    {“message”:“This action is unauthorized.”}

As you can see I get a status code of ‘401 Unauthorized’ with the message “This action is unauthorized”.

Can you tell me what this means? It’s not a wrong API-Token and I’m not using HTTPS on the Testsystem.

Sending an e-mail over the endpoint /api/v1/invoices/{id}/email was working, but then it just sends the normal invoice e-mail.


@david do you have any thoughts?


Can you advise if this particular user is an administrator, or if they have reduced permissions?

We perform several levels of checks at the edge of the request to ensure the permissions are correct.

  1. The invoice requesting to be sent is attached to the company (inferred from the token)
  2. Ensure the user has at least edit permissions on the invoice.

On the Testsystem I’m only working with the admin user and we only have one company and one api-token. All invoices have user_id = 1 and company_id = 1.

For the user with id=1 I get from the database:
SELECT permissions, is_owner, is_admin, is_locked FROM company_user WHERE user_id = 1;

(null) 1 1 0

So I am an admin but the permissions are null (which is probably the way it should be?).

I also tried it on our production system where we have a whitelabel licence, but I get the same message.


Something doesn’t sound right, i’ve tested locally and haven’t been able to recreate this particular issue:

curl -X POST 'http://ninja.test:8000/api/v1/emails' \
-H "Content-Type:application/json" \
-H "X-API-TOKEN:company-token-test" \
-d '{"entity": "invoice","entity_id": "QK9b6KNdEv","template": "email_template_custom2"}' \
-H "X-Requested-With: XMLHttpRequest";

I have made some changes around this part of the system in 5.5.84, could you retry on this version and advise if you are still seeing issues.

Somehow it’s working now. Maybe it’s the new version or our mailserver (or I made some typos in the request originally).
Anyway, thank you.