use private-toke to approve merge request then return 401

When I use a private-token to approve a merge request always return 401. As following:

POST https://xxx.com/api/v4/projects/project_id/merge_requests/meger_request_id/approve

• headers contained PRIVATE-TOKEN

{
    "message": "401 Unauthorized"
}