Access to icinga2 api from agent/satellite - Unautorized

I don’t know if I’m missing someething, or I do not understand some part of icnga2 config correctly. I’m using icinga2 + icinagweb2 director since 2017 and everything is working smoothly. I have about 15 zones. I’m using icinga2 api on master, schedulling downtimes, sending passive check results etc. Satellites are connecting from outside world to NATed IP. But so far I could not connect to API by simple curl call on any agent or satellite.

I’m always getting “{“error”:401.0,“status”:“Unauthorized. Please check your user credentials.”}” . I have api users defined on master in /etc/icinga2/conf.d/api-users.conf, and I can get list of all users by calling “icinga2 object list --type apiuser”.

But this doesn’t work on satellite or agent. It just show empty list. I’m using the same ApiUser and password when sending requests to API. So how this is suppose to work? Or could you tell me what I’m missing? Should I set this somehow in icingaweb2 director?

what’s the content of /etc/icinga2/features-enabled/api.conf on the satellite?
according to that “Is api-users.conf synced from master?” api users are not and should be not synced so if /etc/icinga2/conf.d/api-users.conf is empty on the satellite there is no api user on the satellite