I'm building a Flask application with an authentication middleware that checks for valid authorization tokens for all routes except /heartbeat. However, even though I'm passing a valid token in the Authorization header, the /protected route returns a 401 Unauthorized error.

middleware.py

import requests
import logging
from flask import request, jsonify
import json
from config import AUTH_API_URL

# Configure logging
logging.basicConfig(level=logging.INFO)
logger = logging.getLogger(__name__)

def validate_token(token):
    """
    Calls the external Auth API to validate the token.
    :param token: The authorization token from the client.
    :return: True if the token is valid, False otherwise.
    """
    url = AUTH_API_URL  # External Auth API URL for token validation
    payload = json.dumps({"token": token})
    headers = {
        'Accept': 'application/json',
        'Content-Type': 'application/json'
    }

    try:
        # Make the request to validate the token
        response = requests.post(url, headers=headers, data=payload)

        # Log the response from the Auth API for debugging purposes
        logger.info(f"Auth API Response: {response.status_code} - {response.text}")

        # If the response from the Auth API indicates success, the token is valid
        if response.status_code == 200:
            data = response.json()
            return data.get('valid', False)  # Return validity status from response
        else:
            logger.warning(f"Error validating token: {response.text}")
            return False
    except requests.exceptions.RequestException as e:
        logger.error(f"Error while calling Auth API: {e}")
        return False  # Token is invalid or failed to validate

def authenticate_request():
    """
    Middleware to check for the Authorization token on all routes except '/heartbeat'.
    """
    allowed_routes = ["heartbeat"]  # Routes that don't require authentication

    # Skip authentication for the allowed routes
    if request.endpoint in allowed_routes:
        return None  # No authentication needed

    # Extract token from the 'Authorization' header and remove 'Bearer ' if present
    token = request.headers.get("Authorization")
    logger.info(f"Extracted token: {token}")  # Log the extracted token for debugging

    if token:
        token = token.replace("Bearer ", "").strip()  # Remove 'Bearer ' prefix

    # If token is missing or empty after cleaning, return Unauthorized response
    if not token:
        logger.warning("Missing or malformed Authorization token.")
        return jsonify({"message": "Missing Authorization Token"}), 401

    # Validate the token by calling the Auth API
    if not validate_token(token):
        logger.warning("Unauthorized access: Invalid token.")
        return jsonify({"message": "Unauthorized: Invalid Token"}), 401
    
    return None  # Continue processing the request

routes.py

from flask import jsonify

def register_routes(app):
    @app.route("/api/v1/heartbeat", methods=["GET"])
    def heartbeat():
        return jsonify({"message": "****-genai-py -> OK, version: 1.0.0"}), 200

    @app.route("/api/v1/protected", methods=["POST"])
    def protected():
        return jsonify({"message": "You've accessed a protected route!"}), 200

config.py

import os

# Fetch Auth API host from environment variables (default to test)
AUTH_API_HOST = os.getenv("AUTH_API_HOST", "https://********-web-auth-api-tst.bcom3test")
AUTH_API_URL = f"{AUTH_API_HOST}/api/v2/validate-token"

So, even in Postman, when I click Post Request and putting key as Authorization and Value as Bearer , then also, returning { "message": "Unauthorized: Invalid Token" }