Using POSTMAN , everything is fine :

I pass the same headers,params,... to superagent as following :

const superagent = require('superagent');
const grab = require('ps-grab');


superagent.get('https://x.rathath.net/issue_statuses.json')
    .set({
        'Accept': 'application/json',
        'Content-Type': 'application/json'
    })
    .auth(grab('--user'),grab('--password'))
    .send({})
    .end((error,response)=>{
        console.log(response.text);
    });

However it is failed !

I have a doubt in : superagent+Authorization Header+ OSX .. I mean compatibility of those three .

Indeed, I run the same javascript snippet on Redhat machine and it works fine.

The difference is that you are probably making a call to another domain than where your js app is running. This is called CORS. When you do that, combined with Authentication, the server needs to return CORS headers, saying:

access-control-allow-credentials: true
access-control-allow-origin: your-app-domain.here

Two pitfalls:

• Forgetting .withCredentials() in your superagent call. This is not just for cookies but also for Authentication.
• The server returning * instead of your domain, but that is not allowed in combination with Authentication.