Can't get file access permission for AuthenticatedUser working

I’m logged into my app. The app is accessing and displaying an image file. To display the image, I’m using the “Source URL Logic”-binding in UI Builder.

The image is displayed correctly when using the following permissions for this file:

Now, I want to restrict the access to the image to AuthenticatedUser. Therefore, I’m setting the red cross for “NotAuthenticatedUser”:

The effect is however, that the image is not read-in by the application, although I’m working with a logged-in user, which should still have read access.

Browser Dev-Tools are showing the error

GET 400 (Bad Request)

Am I doing something wrong here?

Could you please create a test account for us and share the credentials as well as the link for the login page so we can experience the error on our side?

Hi @mark-piller ,
Is it possible to share such (and more) details via email with you?

Sure. please send an email to with the requested information and a link to this topic.

Email has been sent.

Hello @Klaas_Klever

Thank you for the information provided. We already have an internal ticket BKNDLSS-23971 for this problem. I have raised the priority for this ticket. As soon as the fix is available, we will let you know.


1 Like

Any news for this?

Hi Klass,

A logged in user is identified either by the user-token HTTP header or a cookie. The problem with the cookie approach (when it comes to fetching files) is the cookie is set for the domain and doesn’t apply to A workaround can be adding a custom domain to your app and then using it for both login API and to fetch files. It would be important to enable cookie-based authorization for the app (Users > Login section in console). Would that approach work for you?


Hi all.

I believe I have a similar issue with an app that I created. Please excuse the wording of my question, as I am a novice app creator and not a programmer.

For starters, I am using Backendless as the backend of my app, and AppGyver (no-code) as the front end, and transferring data to/from using RestAPI. The app involves having the user choose the correct label to a random image that appears. If the user correctly labels the image, they get a “‘correct’ Good Job” message, if they do not, they get a “‘incorrect’ Better luck next time” message.

When an authenticated user logs in to my app, it does not seem like Backendless assigns the AuthenticatedUser security role to that user during the login session, but rather the NotAuthenticatedUser security role. This seems to be true even though on my user table, each user under the permissions tab has the role of an AuthenticatedUser.

I deduce this because when an authenticated user is logged into my app and all security roles permissions at the table level for NotAuthenticatedUser are denied, I get the following error message:


But when an authenticated user is logged into my app and all security roles permissions at the table level for NotAuthenticatedUser are allowed, I get the following (expected) message:


How can I take advantage of the Backendless Security Roles in my specific situation? How do I “tell” Backendless that the user who is logged in is an authenticated user?


Hi Rick,

When you use the Login API, the response body contains a property called user-token:

The value of user-token is important as it identifies the user in all subsequent requests. If you do not pass the user-token value in a subsequent request, the server will have no idea what session/user the request is associated with. As a result, the role associated with that (subsequent) API request will be NotAuthenticatedUser. The solution is simple - add the user-token value in an HTTP header called user-token. The documentation describes it here:

Hope this helps.


Thanks! I’ll admit I’m a bit embarrassed to have missed this