Forum Discussion
AI Foundry - Open API spec tool issue
Hello,
I'm trying to invoke my application's API as a tool within the AI Foundry OpenAPI specification tool. However, I keep encountering a 401 Unauthorized error. I'm using a Bearer token for authentication, and it works perfectly when tested via Postman.
I'm unsure whether the issue lies in the input/output schema or the connection configuration. Unfortunately, the AI Foundry Traces aren't providing enough detail to pinpoint the exact problem.
Additionally, my API and AI Foundry accounts are hosted in different Azure subscriptions and networks. Could this network separation be affecting the connection?
I would appreciate any guidance or help to resolve this issue.
-Tamizh
1 Reply
hi Tamizh hi A 401 Unauthorized in AI Foundry while the same request works in Postman usually points to one of these areas:
Bearer token handling
Postman often refreshes tokens behind the scenes. In AI Foundry, you'll need to make sure the token is valid and not expired at the time of the call.
Double-check that the Authorization: Bearer <token> header is explicitly included in the tool definition and matches your API requirements.
Tool schema vs. connection config
If the input/output schema doesn't align with the API spec (for example, expecting JSON body vs. query params), the request may fail before auth even applies.
Validate the schema by comparing the AI Foundry tool config with a working Postman export.
Network / subscription separation
Yes, this can matter. If your API is hosted in a different subscription or behind a VNet/firewall, AI Foundry may not be able to reach it unless you:
Configure a private endpoint or expose the API to the internet securely.
Ensure the AI Foundry's managed identity has access rights to the API if RBAC is involved.
Debugging
In AI Foundry, check the tool connection configuration (Manage ‚Üí Connections) and confirm the right base URL and auth type are applied.
Try generating a fresh token and testing again.
If possible, temporarily expose the API publicly with limited access (e.g., IP restriction or test environment) to confirm if network isolation is the blocker.
