KB-2128 Web API and Connected System object errors after applying a hotfix package


After upgrading to a newer hotfix package on Appian 18.2 or later, the following symptoms occur when using a WebAPI or Connected System that references the request parameter http!request.header.authorization:

  • Calls made through WebAPI or Connected System objects to other services return error messages
  • The WebAPI tests return HTTP 500 errors
  • Unable to send or receive messages where integration is involved
  • HTTP 404 errors when users try to access pages which were once viewable
  • Removing the reference to http!request.header.authorization resolves any errors
  • When testing calls on affected objects, request body displays errors stating that a parameter is missing or null


Appian introduced a change via AN-155298 which includes an update to improve security. In particular, the authorization header is no longer accessible to the designer via the Web API expression when invoking Web API calls. As this header is no longer accessible, any existing calls making use of this property will return error messages stating that the field is null or that the parameter is missing.


The change is intentional and has been made to improve the security of the Appian environment. In order to resolve related issues, refactor any expressions or SAIL code referencing the Authorization header in any WebAPI or Connected System objects to no longer access and make use of this property. 

Affected Versions

This article applies to Appian 18.2 and later.

Last Reviewed: June 2020