You authenticate to CyberArk’s PVWA API, get a session token back with HTTP 200, then immediately call GET /PasswordVault/api/Accounts and get a 401 Unauthorized. The token looks valid. You confirmed it’s being passed in the request. The account has the right permissions.

Here’s why it’s happening and how to fix it.

The Problem: Wrong Authorization Header Format

CyberArk’s PVWA API (v9.x and earlier) does not use the standard Bearer token format. Sending:

Authorization:BearereyJhbGciOiJSUzI1NiJ9...

Returns 401 even with a perfectly valid token.

The correct format is the token value without the Bearer prefix:

Authorization:eyJhbGciOiJSUzI1NiJ9...

This trips up most developers because every other modern API uses Bearer. CyberArk’s older API predates that convention and uses its own session token scheme.

Fix in curl

1
2
3
4
5
6
7

# Wrong
curl -H "Authorization: Bearer $TOKEN" \
  "https://pvwa.company.com/PasswordVault/api/Accounts"

# Correct
curl -H "Authorization: $TOKEN" \
  "https://pvwa.company.com/PasswordVault/api/Accounts"

Fix in Ansible

In your uri task:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

# Wrong
- name: Fetch accounts
  ansible.builtin.uri:
    url: "https://{{ pvwa_host }}/PasswordVault/api/Accounts"
    method: GET
    headers:
      Authorization: "Bearer {{ cyberark_session_token }}"

# Correct
- name: Fetch accounts
  ansible.builtin.uri:
    url: "https://{{ pvwa_host }}/PasswordVault/api/Accounts"
    method: GET
    headers:
      Authorization: "{{ cyberark_session_token }}"

Fix in Python

1
2
3
4
5

# Wrong
headers = {"Authorization": f"Bearer {token}"}

# Correct
headers = {"Authorization": token}

Fix in PowerShell

1
2
3
4
5

# Wrong
$headers = @{ Authorization = "Bearer $token" }

# Correct  
$headers = @{ Authorization = $token }

The Token Might Also Have Surrounding Quotes

When CyberArk’s Logon endpoint returns the token, it comes back as a JSON string — which means the raw response body looks like:

"eyJhbGciOiJSUzI1NiJ9..."

Note the surrounding double quotes. If you’re not parsing the JSON properly, you end up with a token that includes literal quote characters:

"eyJhbGciOiJSUzI1NiJ9..."includesthe"characters

And your Authorization header becomes:

Authorization:"eyJhbGciOiJSUzI1NiJ9..."

Which also returns 401.

Fix in Python:

1234567891011
importrequests,jsonauth_response=requests.post(f"https://{pvwa}/PasswordVault/API/auth/Cyberark/Logon",json={"username":user,"password":password})# json() parses it — no surrounding quotestoken=auth_response.json()# NOT: token = auth_response.text ← this includes the quotes

Fix in Ansible:

123456
# After the Logon call:-name:Set session tokenansible.builtin.set_fact:cyberark_session_token:"{{ auth_result.json }}"# NOT: cyberark_session_token: "{{ auth_result.content }}"# auth_result.content is the raw bytes including quotes

Verify What You’re Actually Sending

Add a debug step to confirm the header value before the API call:

123
-name:Debug auth headeransible.builtin.debug:msg:"Token first 30 chars: {{ cyberark_session_token[:30] }}"

If the output starts with a"character, you have the quoting problem. It should start witheyJ(the beginning of a JWT) or a similar alphanumeric string.

Check Permissions Too

If the header format is correct and you’re still getting 401, check that the account has theAudit UsersorList Accountsprivilege on the PVWA. Specifically, the service account needs:

  • In CyberArk v12+: Added to theVault Adminsor given theCyberArk REST APIpermission
  • In older versions: Member of a group withRetrieve filesandList filesin the safe containing the accounts you’re querying

A 401 from the Accounts endpoint is almost always one of two things: wrong header format, or insufficient permissions. Check the format first — it’s the more common cause and takes 30 seconds to fix.

Summary

ProblemSymptomFix
Bearerprefix401 on all API callsRemoveBearer, send token directly
Quoted token string401, token starts with"Use.json()to parse, not.textor.content
Insufficient permissions401 despite correct tokenGrant API access in CyberArk RBAC