REST client BASIC auth: password with special characters produces 401 at runtime

[ako]

Problem

A REST client with Authentication: BASIC (Username: 'user', Password: '...!...') serializes successfully and passes mx check, but at runtime the outgoing HTTP request contains no Authorization header — the server returns 401. The same credentials work when passed to an inline REST CALL ... AUTH BASIC ... action.

Reproduction

CREATE REST CLIENT Module.API (
  BaseUrl: 'https://api.example.com',
  Authentication: BASIC (Username: 'user', Password: 'TMT5wgw-zut!cbp-rqp')
)
{
  OPERATION GetData { Method: GET, Path: '/data', Response: NONE }
};

CREATE MICROFLOW Module.Test ()
BEGIN
  SEND REST REQUEST Module.API.GetData;
END;
/

Runtime: 401 Unauthorized, no Authorization: Basic ... header in the outgoing request.

Compare with inline:

REST CALL GET 'https://api.example.com/data'
  AUTH BASIC 'user' PASSWORD 'TMT5wgw-zut!cbp-rqp'
  RETURNS String;

Works correctly — sends the auth header.

Investigation (BSON is correct)

Inspected the BSON produced by mxcli for the REST client:

"AuthenticationScheme": {
  "$Type": "Rest$BasicAuthenticationScheme",
  "Username": { "$Type": "Rest$StringValue", "Value": "user" },
  "Password": { "$Type": "Rest$StringValue", "Value": "TMT5wgw-zut!cbp-rqp" }
}

The ! character is stored verbatim (not escaped, not interpreted as a template placeholder). The BSON structure matches what Studio Pro produces for the same credentials.

This points to a Mendix runtime issue: the REST client call action (Microflows$RestOperationCallAction) is not picking up the REST client's AuthenticationScheme correctly at request time, or something about the password string is tripping a template-engine pass before the value is applied.

Suggested fix

1. Verify on the Mendix side: is there a known issue with Rest$StringValue containing ! or other characters that the ValueTemplate engine treats as special? If so, the value should be stored as a literal (e.g., a Rest$ConstantValue or with explicit escaping).
2. Workaround (already works): store the password as a $Constant reference — Password: $ApiPassword — which is stored as Rest$ConstantValue and bypasses any template processing.

Related

• Issue SEND REST REQUEST writer drops parameter mappings and mis-encodes JSON body #193 (SEND REST REQUEST writer drops parameter mappings and mis-encodes JSON body) — the REST client call action has multiple known issues. This 401 behavior may share a root cause.

[github-actions]

Issue Triage

Summary:
The issue reports that a REST client defined with BASIC authentication (username/password containing special characters) serializes correctly but fails to send an Authorization header at runtime, resulting in a 401 error, while an inline REST CALL works fine.

Checklist for bug report completeness

Required information	Present?	Details
mxcli version	❌	Not mentioned
Mendix version	❌	Not mentioned
Scenario (what the user was trying to do)	✅	MDL script defining a REST client and microflow that sends a request
Expected output	✅	Authorization header should be included in the outgoing HTTP request
Experienced output	✅	401 Unauthorized; no Authorization header observed
AI bug report (mxcli diag --bundle or session log)	❌	Not provided

Missing information:
Please add the following details so we can investigate further:

1. The version of mxcli you are using (mxcli --version or commit/build info).
2. The Mendix version of the project you are processing (e.g., 10.6.0, 9.24.0).
3. If possible, attach the output of mxcli diag --bundle or at least the relevant session log from the command that produced the BSON.

Once we have those, we’ll be able to reproduce the issue and look into the root cause. Thank you for bringing this to our attention!

---

Automated triage via OpenRouter — workflow source