I believe an empty token would result in malformed headers, since the Authorization header would be invalid.