I think you faced with NiFi Cross-Site Request Forgery Protection. Here is the link to manual: https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#csrf-protection When you execute authorization request (/access/token) you got two cookies: __Secure-Authorization-Bearer and __Secure-Request-Token. Value of __Secure-Authorization-Bearer cookie you can use as value for Authorization header or maybe your http client can add it automatically. And to avoid CSRF security filter you should add to all POST/PUT/DELETE requests header with name Request-Token and value of __Secure-Request-Token cookie.
... View more