If it's an API Key, you need to add the userId=
part, like Token <token>; userId=<userId>
. For example, Token abcdefg; userId=1
.
I think luceos example is wrong because the =
is missing.
Also make sure that registrations are enabled or that the userId is an admin.
A different issue is that your body payload is not properly formatted (it's not following json:api spec), but that will be a different 400 error once you fix the authorization part.