If your site is on https then it may be possible that there might be some mod security on server that is not authenticating any call to server from app .
It seems like the https in your site is stripping the authorization code(a required parameter while making call to server) which is sent in headers .