Just FYI, if anyone is using php-fpm and getting unexpected unauthorized responses using the API, it could be because Apache doesn’t pass the auth headers to the external CGI process by default.
I had to add the following to my Apache config to get things to work: