I am currently using Postman to test my REST API. I've built it using Ruby-On-Rails, and using devise_token_auth to manage users sessions. After a successful log in, my API is rendering a client, an access-token, a token-type(BEARER) and an Uid. These elements are needed for every request that requires the user to be logged in and have to be sent on the header.

Let's say I am creating an article using a POST. The first POST succeeds and creates the article but when I try to create another article, I get :

{
  "errors": [
    "Authorized users only."
  ]
}

I suspect either Postman is behaving as a different client after each request, or my API is creating an access-token for the user after each request.

I finally managed to fix the issue:

According to devise_token_auth gem documentation, the access-token changes each time the client queries the API. Thus, I had to update the access-token, on my headers, whenever I wanted to send a request to my API.

To prevent the access-token from being changed after each request, add the following line to confing/initializers/devise_token_auth.rb:

 config.change_headers_on_each_request = false