THIS ISSUE HAS BEEN SOLVED: The authentication token had a "\n" incorrectly added, which effectively broke the request. 400 Bad Request was a very appropriate answer...
We are building a Swagger server API in nodejs, which provides a service to obtain a JSON web token for authentication, and then requires that token for calling all other services.
The API is working as designed, except for particular clients, with which if an Authorization Header is added, the call always fails with "400 Bad Request".
Digging deeper, what we observe is that the clients that fail, fail because they send the HTTP header "Expect: 100-continue", which the nodejs server seems to ignore and try to parse the request, leading to the "400 Bad Request" response.
This behavior was observed on .NET clients, and the behaviour makes sense: the client sends only headers, awaiting for clearance on the Authorization, before sending the rest of the (potentially long) request data. This saves bandwidth and resources on both client and server, although it might lead to slightly longer latency.