Noticed that token information when sent to a 3rd party service in the in format "https://domaindotcom/login/token/blah.blah.blah.blah" works fine when copying and pasting it into the browser.

Now, when the same token is sent from a webpage sitting on an internal website via a PHP redirect (using the header function) we get issues. The redirect executes, the token triggers the event with the vendor, but it fails to finalize.
The page sits on a web server which is NOT accessible by the world.

Differences perhaps in what information gets sent out via these two methods?

Would a browser send more info when a PHP script is triggered on it such as referer?

Perhaps referer information received via the PHP header redirect function, and the vendor attempts to ping back (if their server detects a referer), but since the server is not accessible it may be flagged and process killed?

Would appreciate thoughts and ideas on what may be happening. Thank you!

Source: Ask PHP