Yii2-admin in Rest controller


I have the following in a REST controller:

public function behaviors() {
        $behaviors = parent::behaviors();
        $behaviors['authenticator'] = [
            'class' => HttpBasicAuth::className(),
            'except' => ['login']
        $behaviors['access'] = [
            'class' => AccessControl::className(),
            'allowActions' => ['login']
        return array_merge($behaviors, [
            // For cross-domain AJAX request
            'corsFilter'  => [
                'class' => \yii\filters\Cors::className(),
                'cors'  => [
                    // restrict access to domains:
                    'Origin'                           => self::allowedDomains(),
                    'Access-Control-Request-Method'    => ['POST', 'GET', 'OPTIONS'],
                    'Access-Control-Allow-Credentials' => true,
                    'Access-Control-Max-Age'           => 0,   
                    'Access-Control-Allow-Origin' => self::allowedDomains(),
                    'Access-Control-Allow-Headers' => ["Origin", "X-Requested-With", "Content-Type", "accept", 'Authorization'],

Locally this works, but on my live machine I cannot get anything but 403 forbidden. If I disable access in behaviors it works fine. what am I missing?

Probably credentials are different?

No, it’s the same DB it’s connected to. Does anything look wrong with my config? I think it seems fine

Can you provide server response headers for CORS request?
(eventually also request headers)
Is your client properly configured? E.g. are you sending auth credentials using withCredentials ?
Is server certificate valid?
Did you try to allow all domains to verify that domain is not blocked? (allowedDomains = "*")