I raised an issue on Github and they confirmed a bug:
opened 12:43PM - 09 Feb 24 UTC
Bug
c: Security
Regression
c: Tracking
### What happened?
I did some tests with Postman and with debugging enabled. … Doing a single tracking request works perfectly. I take the same token and put it into a bulk tracking request and I get the error:
WARNING! token_auth = xxxxx is not valid, Super User / Admin / Write was NOT authenticated
### What should happen?
It should authenticate and process the tracking requests
### How can this be reproduced?
Send on Postman this tracking request
```
{
"requests": [
"?idsite=2&rec=1&cip=23.145.24.180&cdt=1706332501&url=https%3A%2F%2Fwww.rundumgesund.org%2F&urlref=-&ua=Mozilla%2F5.0+%28Windows+NT+10.0%3B+Win64%3B+x64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F119.0.0.0+Safari%2F537.36",
"?idsite=2&rec=1&cip=2.57.122.115&cdt=1706371627&url=https%3A%2F%2Fwww.rundumgesund.org%2F&urlref=http%3A%2F%2Fwww.rundumgesund.org%3A80%2F&ua=Mozilla%2F5.0+%28Macintosh%3B+Intel+Mac+OS+X+10_11_2%29+AppleWebKit%2F601.3.9+%28KHTML%2C+like+Gecko%29+Version%2F9.0.2+Safari%2F601.3.9",
"?idsite=2&rec=1&cip=2.57.122.115&cdt=1706371627&url=https%3A%2F%2Fwww.rundumgesund.org%2F&urlref=http%3A%2F%2Frundumgesund.org%3A80%2F&ua=Mozilla%2F5.0+%28Macintosh%3B+Intel+Mac+OS+X+10_11_2%29+AppleWebKit%2F601.3.9+%28KHTML%2C+like+Gecko%29+Version%2F9.0.2+Safari%2F601.3.9"
],
"token_auth": "put your token"
}
```
### Matomo version
5.0.2
### PHP version
_No response_
### Server operating system
_No response_
### What browsers are you seeing the problem on?
_No response_
### Computer operating system
_No response_
### Relevant log output
_No response_
### Validations
- [X] Read our [Contributing Guidelines](https://github.com/matomo-org/matomo/blob/5.x-dev/CONTRIBUTING.md).
- [X] Follow our [Security Policy](https://github.com/matomo-org/matomo/blob/5.x-dev/SECURITY.md).
- [X] Check that there isn't already an issue that reports the same bug to avoid creating duplicates.
- [X] The provided steps to reproduce is a [minimal reproducible](https://stackoverflow.com/help/minimal-reproducible-example) of the Bug.
Seems there is no bugfix that far, and I continue to avoid bulk tracking. They say there is a token that allows GET parameters ( Secure use only = No ) that is supposed to be working. I did not try to investigate that, but I see when you create the token, you can deselect: Only allow secure requests. Try it out if that makes it work.