HTTP/1.1 401 Unauthorized

Getting this error while trying to get sample stream data via AngularJS $http.get call()

Request URL: http://localhost:2113/streams/%24stats-
Request Method: GET
Status Code: HTTP/1.1 401 Unauthorized
Request Headers 19:35:19.000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
Referer: http://localhost:63342/AngularTest/index.html
Origin: http://localhost:63342
Host: localhost:2113
Connection: keep-alive
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Accept: application/json, text/plain, /
Response Headers Δ1ms
WWW-Authenticate: Basic realm=“ES”,Basic realm=“ES”
Server: Microsoft-HTTPAPI/2.0
Content-Type: text/plain; charset: utf-8
Content-Length: 0
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, DELETE, GET, OPTIONS
Access-Control-Allow-Headers: Content-Type, X-Requested-With, X-PINGOTHER

I understand that according to the Doc I have to Authenticate, however passing Authorization header does not help.

Getting Request header field Authorization is not allowed by Access-Control-Allow-Headers.

Any help is tremendously appreciated!


You need admin rights to read the $all stream. You can read more about that here:

In general you need to be admin to read from $all unless you have changed your default acls.

Also it would be quite odd to be reading $all from a browser as it may have a LOT of events in it. What are you trying to do here?

Thanks for the replies guys.

I am not trying to read $all. I agree, Greg, that would be insane.

Here is some more clarification.

  1. We are trying to create a prototype application to evaluate how, using MOM (Eventstore), we can integrate our Web based client application with our back-end system which is called Power Service. Yes the domain we are in is Power Control/Management.
    So far we using in-memory Message Bus, however as we move forward with more integrations we want to move to out-of-band solution. The only approach I see for this eval app is using HTTP API (open for any other solution though)
  2. Client side is AngularJS.
  3. I am implementing polling solution as in JavaScript Example
  4. The stream that I am trying to read is that sample stream of local PC stats collection. As you see in Request URL. No sure why you mention $all.
  5. I edited ACL for that stream adding $admins to all groups.
  6. I use default admin:changeit credentials.
  7. When I use CURL as suggested in Docs it authenticates no problem and gives the result back
    Any suggestions?

Thank s a lot!




  1. When I use CURL as suggested in Docs it authenticates no problem and gives the result back

Are there some special things that are needed with angular? That it works with curl basically says it works :slight_smile:


Our new UI uses Angular (apparently!) -
- this might help you.


That was my mistake, I got lost in all that percent encoding :slight_smile:

Well. That is what drives me crazy. :slight_smile:

Not sure there is anything special about Angular.

I used $.ajax call before (as in the example) - same result.

How does one pass credentials via these calls anyways?

Using Authorization Header does not work as you see in my original post.

Thank you, Greg.


its standard http authentication

Hey James,

I searched the code base for any Authentication…

So the only place it is used is in run.js and it is for testing purposes. as it says in the comments. :slight_smile:

In fact I use the same “$http.defaults.headers.common.Authorization = 'Basic ’ + encoded;” way of doing it right before the actual call.

However it is setting Authorization header of the request that gets rejected with this message: “XMLHttpRequest cannot load Request header field Authorization is not allowed by Access-Control-Allow-Headers.” And looking at Response I see this: Access-Control-Allow-Headers:Content-Type, X-Requested-With, X-PINGOTHER

Seems like what it says - Authorizing this way is not allowed.

Any thoughts?

Thank you a lot!



That requires having built with the dev branch I think - the pull requests for CORS were made after the 3.0RC. They will be in the v3 release though.



Thanks James.

I’ll check it out.


Just to update.

The problem with authentication seems to exist for v.2. where I do not see Authorization header in the allowed headers in the Response. (e.g. Access-Control-Allow-Headers: Content-Type, X-Requested-With, X-PINGOTHER) so passing it gives me rejection.

In v.3.0 RC2 however, I see Access-Control-Allow-Headers: Content-Type, X-Requested-With, X-PINGOTHER, Authorization and I authenticate with no problem.

Also, working on making AngularJS tweaks to Javascript polling solution since the example uses jQuery and some assumptions about the structure of the returned JSON which are not true anymore.

Thanks everyone for the help



Very old, but this answer has what is needed: