Hi Joel,

It sounds like your API key isn’t coming through when the Published REST service is deployed in Mendix Cloud, even though it works fine locally. This usually happens because the Mendix Cloud environment applies additional security measures that might strip certain headers, especially those that look like authentication-related ones. You could try changing the header name to something less common, like X-My-Custom-API-Key, and see if that makes a difference. Also, Mendix can be case-sensitive with headers, so double-check that the exact name you’re sending from Postman matches what your microflow expects.

Another possibility is that your CORS settings, even though they allow all sources, might not be configured to allow custom headers. You can try explicitly adding your API key header in the Mendix CORS settings. Additionally, because Mendix Cloud uses a reverse proxy, it might be modifying or filtering out certain headers before the request reaches your app. A good way to check this is to send a test request from Postman with an extra, unrelated header like X-Debug: test and see if it shows up in the logs. If that one appears but the API key doesn’t, then it’s likely being removed for security reasons.

To get more insight, you can also enable the REST consume log node in your Mendix Cloud console to see what’s actually being received. If none of this helps, let me know what you see in the logs, and we can try a different approach!

Let me know,

Hope it helps!