From 5f5a9828639e6cd28de754a7969bbe72fc7405ee Mon Sep 17 00:00:00 2001
From: Quentin Mondot <quentin.mondot@elabore.coop>
Date: Tue, 21 Apr 2026 18:02:53 +0200
Subject: [PATCH] [FIX] report_carbon : Remove Authorization header when using
 a self-hosted Carbone CE instance

---
 report_carbone/models/base/ir_actions_report.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/report_carbone/models/base/ir_actions_report.py b/report_carbone/models/base/ir_actions_report.py
index 1cd6dd5..4834e41 100644
--- a/report_carbone/models/base/ir_actions_report.py
+++ b/report_carbone/models/base/ir_actions_report.py
@@ -547,6 +547,10 @@ class IrActionsReportCarbone(models.Model):
             .get_param("report-engine.carbone_studio_url")
         )
         csdk.set_api_url(api_url)
+        # Carbone CE (self-hosted, securityLevel=0) does not require authentication.
+        # Sending a Bearer token causes a JWT validation error server-side.
+        if api_url and api_url != "https://api.carbone.io":
+            csdk._api_headers.pop("Authorization", None)
         return csdk
 
     def _get_json_data(self, export_json_instance, field_names, record, model, lang_codes):