Comment 2 for bug 1826940

Ok it looks like the problem is based around this:

In webservice_base_server::run() there is the following:

        // init all properties from the request data
        $this->parse_request();

        // authenticate user, this has to be done after the request parsing
        // this also sets up $USER and $SESSION
        $this->authenticate_user();

The authenticate_user() method sets $this->auth to be a string like 'TOKEN'

But there is also the webservice_rest_client that set an 'auth' variable for it's own use

So if using REST auth and the parse_request() fails then we have the wrong $this->auth value set by the looks of things