Hi,
I am getting below error with A042 endpoint to download an attachement.
<?xml version="1.0" encoding="UTF-8"?>InvalidArgumentOnly one auth mechanism allowed; only the X-Amz-Algorithm query parameter, Signature query string parameter or the Authorization header should be specifiedAuthorizationBearer hM18ZkAmUaH9ndgMKehmKoMTbzLm2TE850YR0YTC5TA3
I am adding only token in the header.
Any pointers what may be causing this would be a great help.
Thanks
Devendra
Hi Devendra,
This error is happening because this endpoint uses a 307 Temporary Redirect to a pre-signed S3 download URL.
Your initial call to A042 (/R4/Binary/{id}) should include the normal e-RS header, as you’ve said:
Authorization: Bearer
However, when the client follows the 307 redirect and makes the second request to the Location URL, it is still sending the same Authorization: Bearer header. Since the redirect URL already contains its own authentication details (for example X-Amz-Algorithm and the signature), S3 sees two authentication mechanisms and returns:
InvalidArgument: Only one auth mechanism allowed…
To resolve this, keep the Bearer token on the first request to e-RS, but ensure the follow-up request to the redirected Location URL is made without the Authorization header.
Hope this helps,
Petko
Hi Petko,
Thanks for your reply. I am getting the error in the first request only. I am not getting any Location URL in the first call and making a second call to the Redirected URL. The end point A042 seems to be making the call internally to S3. My code looks like below
HttpGet request = new HttpGet("https://int.api.service.nhs.uk/referrals/FHIR/R4/Binary/9908a42d-72fb-4a3f-bf9e-1013a14e113a");
request.addHeader("content-type", "application/json+fhir");
request.addHeader("Authorization", "Bearer "+token);
HttpResponse response = httpClient.execute(request);
for (Header h : response.getAllHeaders()) {
System.out.println("Name "+h.getName()+" Value "+h.getValue());
}
System.out.println("Response Code "+response.getStatusLine().toString());
ByteArrayOutputStream outstream = new ByteArrayOutputStream();
response.getEntity().writeTo(outstream);
byte [] responseBody = outstream.toByteArray();
System.out.println(new String(responseBody).toString());
I get the below output
Name x-amz-request-id Value DZHHB8NQWZYW4FE2
Name x-amz-id-2 Value 4nJZd0RKEGSy0TmutzoXrI7fDVA/gvgLE5E+bShZxGPSIce6OoSgpXHt79nQbru+AA5E8c+AbVEGZTc8CqAfInSxdBbJrh51
Name Content-Type Value application/xml
Name Transfer-Encoding Value chunked
Name Date Value Tue, 20 Jan 2026 18:50:04 GMT
Name Connection Value close
Name Server Value AmazonS3
Response Code HTTP/1.1 400 Bad Request
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>InvalidArgument</Code><Message>Only one auth mechanism allowed; only the X-Amz-Algorithm query parameter, Signature query string parameter or the Authorization header should be specified</Message><ArgumentName>Authorization</ArgumentName><ArgumentValue>Bearer Ax7goITqR6glmEvzOaGG8ZlsbvXW</ArgumentValue><RequestId>DZHHB8NQWZYW4FE2</RequestId><HostId>4nJZd0RKEGSy0TmutzoXrI7fDVA/gvgLE5E+bShZxGPSIce6OoSgpXHt79nQbru+AA5E8c+AbVEGZTc8CqAfInSxdBbJrh51</HostId></Error>
Hi Devendra,
Thanks for sharing the code and output. The response is coming from Amazon S3 (Server: AmazonS3), which means the client is following the 307 redirect returned by A042 and calling the S3 download URL.
Although your code only executes one request, httpClient.execute(request) is auto-following the redirect and re-sending the same Authorization: Bearer header to S3 causing the “Only one auth mechanism allowed” error, since the S3 link is already signed.
To fix this, disable automatic redirect handling, capture the Location header from the 307 response, then make a separate GET request to that Location URL without the Authorization header.
Let me know if this works,
Thanks,
Petko
Hi Petko,
Thank you very much for the suggestion. It is working fine now.
Devendra