New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
supabase graphql endpoint returns 401 {"message":"invalid signature"} on call with valid jwt in Authorization: Bearer header #504
Comments
I was using the url, https://api.supabase.com/platform/projects//api/graphql from the graphiql explorer instead of https://.supabase.co/graphql/v1. I'm curious why this URL won't work when I see it in the browser. The return from the /api/graphl etc endpoints should be a lot clearer than "invalid signature". I am still curious how that error is generated. The doc comments remain valid. |
@DavidOrchard did you happen to modify the JWT payload before sending the request? the JWT verification is handled by postgREST so i doubt it's an issue with |
I did not modify the payload |
@steve-chavez any idea what could cause the 401 error? |
@imor This should be coming from Kong: https://stackoverflow.com/questions/45164319/kong-jwt-invalid-signature PostgREST errors come in a different (more informative) format: https://postgrest.org/en/v12/references/errors.html#errors-from-postgrest |
Bug report
Describe the bug
The graphql endpoint for my project returns 401 {"message":"invalid signature"} when I use any user's session access_token as described in the docs. I can access the graphql endpoint from the https://supabase.com/dashboard/project//api/graphiql when impersonating that user.
To Reproduce
JS code
output is
Expected behavior
I expect to have the endpoint returns the graphql.
Screenshots
If applicable, add screenshots to help explain your problem.
System information
Additional context
Where is the "invalid signature" message generated? I looked through supabase, supabase-js, auth, auth-js, auth-helpers, pg_graphql, github.com/golang-jwt/jwt, https://pkg.go.dev/go.imperva.dev/demos/matrix-chat/internal/api/demo#ParseJWTClaims, and I could not find where that string is generated and where the 401 is returned.
The token shown above appears valid per the online jwt decoder at https://10015.io/tools/jwt-encoder-decoder as it's decoded as
JWT Header
Separately, the docs are quite inconsistent about which headers and keys are required and the endpoints.
Relay example https://supabase.com/docs/guides/graphql/with-relay shows
Apollo example shows no apiKey header nor vallbck to anon key.
Quickstart docs at https://supabase.com/docs/guides/graphql also show
/v1
in the url but my project's url clearly has no/v1
https://supabase.com/dashboard/project/<projectid>/api/graphiql
. The quickstart docs link have a broken link to api,https://supabase.com/docs/guides/graphql#api-key-api_key
The graphiql explorer doesn't show the apiKey in the Headers section.
The graphql query that the explorer makes doesn't show the apiKey header.
The text was updated successfully, but these errors were encountered: