If you aren’t using the built in php server for development, and like me you are using a vagrant box configured by puPHPet, this will save you a lot of wasted time wondering why you get 401s and 403s when you aren’t expecting them.
In your vhost section , under the setenv option, we add a new setenvif option:
setenvif: - 'Authorization "(.*)" HTTP_AUTHORIZATION=$1'
Without this option, the Authorization header is being stripped! Run vagrant provision, and suddenly everything should be working correctly. Now get on with building that API!