I am using the Java Tracker to send bulk requests to Matomo v5.1.0. In the requests I have set fields that require the token_auth field to be present, with write or admin rights. I have created the token_auth accordingly, and with secure_only = 1 flag. When I use this token, I get tracking failures, that the token_auth field is missing, though it is there in the request. If I set secure_only to 0, the requests are working as expecting.
According to the documentation, secure_only = 1 is used to specify that the token_auth field should be used only in POST requests, and as far as I can tell from the logs, the Java Tracker is send POST requests to Matomo.
I have checked the configuration of Matomo, and only_allow_secure_auth_tokens is set to 0. I haven’t noticed any difference by changing its value to 1.
Would you have any idea what am I doing wrong or this a possible bug?
Thank you for your response. Yes, I can confirm that the token_auth param is sent in the request body, so I am not sure that’s where the issue is. Looking through the code, it seems that also the Java tracker handles it correctly and based on Matomo’s logs, I see that it receives the param in the request body.
Hi Alex. Can you please ensure that there are no intermediate proxies, firewalls, or other security tools in your network setup that could strip or alter the token_auth field from the requests before they reach Matomo.