REST API 401 Unauthorized

I am trying to create a new node with POST through REST in D8. I have enabled the relevant modules (hal, serialization, http basic authentication, Rest web services, rest ui) and added the required permissions to users (create content). I configured the services with restui and added basic_auth for authentication and allowed post on my endpoints. I send X-CSRF-Token together with Content-Type json (or jal+json as configured) and I get either a login popup (basic auth style with user/pass) in restlet client and a 401 Unauthorized with this response.

{ “message”: “No authentication credentials provided.” }

I even tried using cURL from command line to create my node, with the same result and a GuzzleHttp Exception.

PHP Fatal error: Uncaught exception ‘GuzzleHttp\Exception\ClientException’ with message ‘Client error: POST http://www.xxxxxx.com/loyalty/node/?_format=json resulted in a 401 Unauthorized response: {“message”:”No authentication credentials provided.”} ‘ in /home/xxxxx/public_html/loyalty/vendor/guzzlehttp/guzzle/src/Exception/RequestException.php:113

If I allow anonymous to create articles and disable basic_auth everything works fine.

Any clues?