DeathGun44 · DeathGun44 · Mar 30, 2026
diff --git a/src/app/core/authentication/authentication.interceptor.ts b/src/app/core/authentication/authentication.interceptor.ts
@@ -41,8 +41,7 @@ export class AuthenticationInterceptor implements HttpInterceptor {
    * Intercepts a Http request and sets the request headers.
    */
   intercept(request: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {
-    // Skip Fineract auth headers for external API calls (e.g. remittance, national ID)
-    if (request.url.startsWith('http://') || request.url.startsWith('https://')) {
+    if (this.isExternalUrl(request.url)) {
       return next.handle(request);
     }
     if (this.settingsService.tenantIdentifier) {
@@ -52,6 +51,23 @@ export class AuthenticationInterceptor implements HttpInterceptor {
     return next.handle(request);
   }
 
+  /**
+   * Absolute URLs pointing at our own Fineract server are internal — ApiPrefixInterceptor
+   * (in HttpService's dynamic chain) may have already converted relative URLs to absolute ones.
+   */
+  private isExternalUrl(url: string): boolean {
+    try {
+      const requestOrigin = new URL(url).origin;
+      const server = this.settingsService.server;
+      if (server) {
+        return requestOrigin !== new URL(server).origin;
+      }
+      return true;
+    } catch {
+      return false; // Relative URL (new URL() throws) → internal
+    }
+  }
+
   /**
    * Sets the basic/oauth authorization header depending on the configuration.
    * @param {string} authenticationKey Authentication key.