Disable redirect for API when incorrect authorization, keep is for the website


I hope someone can point me in the right direction…

In my middleware I have an authentication setup for a normal login and an login with a token (API login), that works as expected.

When I want to access a page in my browser that is not allowed for the user role I’m begin redirected to the login page (wanted behavior) even when I’m logged in.

Now… When I access the API with an incorrect token I’m also begin redirected. How can I setup the authorization middleware in such a way that it throws a 403 when the API uses a wrong token? And… when the users tries to access a page that is not allowed he is being redirected?

I now have this in the Application.php

$middlewareQueue->add(new AuthenticationMiddleware($this));

            $middlewareQueue->add(new AuthorizationMiddleware($this, [
                'requireAuthorizationCheck' => false,
                'unauthorizedHandler' => [
                    'className' => 'Authorization.CakeRedirect',
                    'url' => ['plugin' => false, 'controller' => 'Login', 'action' => 'index'],
                    'queryParam' => 'redirectUrl',
                    'exceptions' => [
            $middlewareQueue->add(new RequestAuthorizationMiddleware());

I have no clue how to “link” the exceptions with the normal website and the API prefix…

The API has a specific route section in the routes.php:

$routes->prefix('Api/V1', function (RouteBuilder $routes) {
    $routes->setExtensions(['json', 'xml']);


Thanks for reading this and, hopefully, thank you for the input.