I was enabling authentication on an Apigility API and no matter what I did I couldn’t authenticate my requests. I would constantly get a 403 forbidden. Turns out the problem was that Apache was stripping the Authorization header so apigility was even aware that a authorised request was even being attempted.
The solution was to explicitly allow Authorization header in the VHost for the domain by adding the following line to the vhost file.
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
This is a note to myself – but may help someone else down the line.