If your site is on https then it may be possible that there might be some mod security on server that is not authenticating any call to server from app .
It seems like the https in your site is stripping the authorization code(a required parameter while making call to server) which is sent in headers .
Please check this source : https://github.com/gesellix/keepass-node/issues/9
and these relevant links : https://stackoverflow.com/questions/26549250/apache-strips-down-authorization-header
https://httpd.apache.org/docs/2.4/en/mod/core.html#cgipassauth
https://stackoverflow.com/QUESTIONS/26549250/APACHE-STRIPS-DOWN-AUTHORIZATION-HEADER
https://stackoverflow.com/questions/9780966/where-do-i-put-wsgipassauthorization-on
You need to allow access for authorization to stop stripping of the authorization code from headers .
Please contact your webhost on this .They would have to disable such mod security for this .
