If your api-calls are also processed by mod_auth_mellon, it means they are either not excluded in the auth.conf in your site, or not defined.
Below is the part in a/the auth.conf that will decide to use mod_auth_mellon or local auth.
<If "! %{HTTP_COOKIE} =~ /auth_/ && \
! %{REQUEST_URI} = '/${SITE}/check_mk/register_agent.py' && \
! %{REQUEST_URI} = '/${SITE}/check_mk/webapi.py' && \
! %{REQUEST_URI} = '/${SITE}/check_mk/run_cron.py' && \
! %{REQUEST_URI} = '/${SITE}/check_mk/automation.py' && \
! %{REQUEST_URI} -strmatch '/${SITE}/check_mk/api/*' && \
! %{REQUEST_URI} = '/${SITE}/check_mk/deploy_agent.py' && \
! %{QUERY_STRING} =~ /(_secret=|auth_|register_agent)/ && \
! %{REQUEST_URI} =~ m#^/${SITE}/(omd/|check_mk/(images/.*\.png|login\.py|.*\.(css|js)))# && \
! %{REQUEST_URI} =~ m#^/${SITE}/(omd/|check_mk/(images/.*\.svg|login\.py|.*\.(css|js)))# ">
As you can see in this block there is an entry which will make sure the api falls outside of the mod_auth_mellon.
specifically:
! %{REQUEST_URI} -strmatch '/${SITE}/check_mk/api/*' && \
This was taken from my original How-To, where others also mentioned extending the condition-block after having noticed some were missing.
- Glowsome