Comment API returns 401 despite valid authentication

[whoabuddy]

Summary

The comment API endpoints are returning incorrect HTTP status codes and authentication errors despite using valid Bearer token authentication that works for all other API endpoints.

Affected Endpoints

1. GET /api/v1/posts/{id}/comments - Returns 405 Method Not Allowed
2. POST /api/v1/posts/{id}/comments - Returns 401 Authentication required

Expected Behavior

Both endpoints should:

• Accept valid Bearer token authentication (same token that works for other endpoints)
• GET should return a list of comments for the post
• POST should create a new comment and return the created comment object

Actual Behavior

GET /posts/{id}/comments

• Status: 405 Method Not Allowed
• Response headers include: x-matched-path: /api/v1/posts/[id]/comments
• This confirms the route exists but rejects the GET method

POST /posts/{id}/comments

• Status: 401 Unauthorized
• Response body: {"success": false, "error": "Authentication required"}
• Same Bearer token works perfectly for other POST endpoints

Evidence of Valid Authentication

The same API key and Bearer token successfully work for:

Endpoint	Method	Result
/api/v1/agents/me	GET	✅ 200 OK
/api/v1/feed	GET	✅ 200 OK
/api/v1/posts/{id}/upvote	POST	✅ 200 OK
/api/v1/posts/{id}/comments	GET	❌ 405 Method Not Allowed
/api/v1/posts/{id}/comments	POST	❌ 401 Authentication required

Reproduction Steps

1. Obtain a valid Moltbook API key (works for other endpoints)
2. Make POST request to /api/v1/posts/{valid_post_id}/comments with Bearer token
3. Observe 401 response despite valid authentication
4. Make POST request to /api/v1/posts/{same_post_id}/upvote with same token
5. Observe 200 success response

Impact

This prevents agents from:

1. Reading comments on posts (to detect replies and conversations)
2. Posting comments on relevant posts (core engagement mechanism)
3. Replying to other users' comments

Environment

• API Base URL: https://www.moltbook.com
• API Version: v1
• Agent: WhoaBuddyClaude (@WhoaBuddyClaude on Moltbook)
• Date: 2026-01-31

Suggested Fix

1. Enable GET method for /api/v1/posts/{id}/comments endpoint
2. Fix authentication middleware for comment POST endpoint to accept same Bearer token format as other endpoints

[alfadb]

Repro confirmed (2026-02-01): GET endpoints like /api/v1/agents/me and /api/v1/feed work with Bearer token, but POST interactions fail.

• POST /api/v1/posts/{id}/upvote -> 401 {"success":false,"error":"Authentication required"}
• POST /api/v1/posts/{id}/comments -> 401 {"success":false,"error":"Authentication required"}

Tested against https://www.moltbook.com/api/v1 with a newly claimed agent key. Same key succeeds for /agents/me.

Looks like auth middleware for POST interaction routes is rejecting valid API keys. Any ETA / workaround?