Are you certain the form is "Authorization: Token token <token-value>" ?  And not just "Authorization: Token <token-value>" ? 

I've seen a lot of APIs and token schemes, but using the token keyword twice and then the actual token seems odd.

Oh, also your bash script puts the token value in quotes, but your SAS code does not have that.  Maybe you need something like:

 headers "Authorization" = "Token token = ""&token""" ;

Chris, thank you for the suggestions!

"Token token = ": I'm not completely sure about it, but since it works in bash, it should be correct.

Quotes: Yes, I know about this difference, but I've already tried your suggestion, as well as (one by one and a few other modifications how to pass the quotes):

%let token=%22&token%22;
%let token=%str(%")&token%str(%");
%let token=%bquote(")&token%bquote(");

Nothing works. Sorry, I should have mentioned that in my original post.

You can try the DEBUG LEVEL=3; statement on PROC HTTP to maybe get more details about what is being sent. Also, since you are using the -k flag on curl, maybe you need this statement in PROC HTTP:

SSLPARMS "SSLREQCERT"="ALLOW";

Do you suggest

proc http
      url="&url"
      method="GET"
      out=out;
      headers "Authorization" = "Token token = ""&token""" ;
      SSLPARMS "SSLREQCERT"="ALLOW";
      DEBUG LEVEL=3;
 run;

?

If my syntax is correct (I haven't found an example of the SSLPARMS usage), it makes no difference. The debug level of 3 procudes:

> GET /XXX/YYY/ZZZ HTTP/1.1
> User-Agent: SAS/9
> Host: XXX
> Accept: */*
> Connection: Keep-Alive
> Authorization: ************
>
< HTTP/1.1 401 Unauthorized
< server: nginx
< date: Wed, 02 Aug 2023 14:41:52 GMT
< content-type: text/plain
< content-length: 21
< cache-control: no-cache
< x-request-id: ea3c2385-fcf4-4a21-9df0-69ade9a4b6c7
< x-runtime: 0.000492
< 
< 00007F765802B461: 41 75 74 68 6F 72 69 7A 61 74 69 6F 6E 20 6D 69 Authorization mi
< 00007F765802B471: 73 73 69 6E 67                                  ssing           
NOTE: PROCEDURE HTTP used (Total process time):
      real time           0.00 seconds
      cpu time            0.00 seconds
      
Received code: 401
Received phrase: Unauthorized

Url and the host are correct and identical to the bash, I just don't want to share it unless really necessary.

I also tried various options of quoting the token, no success.

Is it a documented API that we can see somewhere? Or something that's internal/proprietary. Sometimes by looking at API doc I can work out the magic incantation.

Ok, if you are willing to dig into the topic, I'm trying to use conjure api with the token: https://docs.conjur.org/Latest/en/Content/Developer/Conjur_API_Authenticate.htm?tocpath=Developer%7C...

It's equivalent of the last example without the certificate (it works without it in bash, see my original post).

curl --cacert <certfile> \
     -H "Authorization: Token token=\"$response\"" \
     <url>

I haven't found any example for the conjure API with SAS.

The token has been previously obtained by another proc http and coded to base64. This should be correct, because when I copy-paste the token obtained in SAS to the shell script, it also works (when not using a "hard-copy" of the token, the bash script downloads the token itself as well).

There is a limited time validity of the token; but, of course, I'm sure that all the time I'm using a valid one, which was downloaded right before this proc http.

Edit: This may be slightly more appropriate: https://docs.conjur.org/Latest/en/Content/Developer/Conjur_API_Retrieve_Secret.htm?tocpath=Developer... (obtaining a password, the authentication is used as shown above)

It may be that your curl/bash environment was finding the cert via normal environment variables that were not available in your SAS session.