Have you verified that the token has actually been added to your request?
You can do this, for example, using the Chrome Developer Tools.
Personally, I prefer to use the $ httpprovider.interceptor as described in:
angularjs $ httpProvider documentation interceptor
This ensures that tokens are always present on any call.
If you are accessing multiple APIs, you should add something like:
$httpProvider.interceptors.push(['$q', '$location', '$log', 'loginService', 'restHelperService', function ($q, $location, $log, loginService, restHelperService) { return { request: function (config) { // check if the request comes with an url if (config.url) { // check that the call is to the REST api, if yes add token if (restHelperService.isRestCall(config.url)) { // add auth header or revert to login if (loginService.userIsLoggedIn()) { config.headers = config.headers || {}; config.headers.Authorization = 'Token ' + loginService.getToken().token; } else { $location.path('/login'); } } } return config; }, responseError: function (response) { if (response.status === 401 || response.status === 403) { // clear auth token if the REST call failed with the current token if (response.config && response.config.url && restHelperService.isRestCall(response.config.url)) { $log.debug(" restCall failed due to bad credentials, resetting credentials"); loginService.resetCredentials(); $location.path('/login'); } } return $q.reject(response); } }; }]); }])
This avoids the problems that arise when adding a token to API calls that do not expect them. The code also ensures that the user is automatically redirected to the login page if the credentials are invalid.
In the example, I use two additional services. The loginService service, which manages tokens, and the RestHelperService, which manages the URLs of the REST structure.
I would recommend doing the same thing as otherwise it would be difficult to access credentials from outside your controller.