invalid api key
π¨ Auth Failure in Production (401 "Invalid API Key") β Need Help
Hi team, I'm running into a critical authentication failure with Supabase on my production deployment (Netlify). Hoping someone can help or escalate:
π Problem Summary
β
Localhost (localhost:3000) β Auth works perfectly
β Production (*.netlify.app) β Fails on sign-in with 401 Unauthorized (Invalid API Key)
π Consistently reproducible across all users and devices
π Key Observations
-The anon API key works for DB queries (e.g., fetching profiles).
-Only the Supabase Auth service is returning 401 on /auth/v1/token?grant_type=password.
-Environment variables are correct β VITE_SUPABASE_URL and VITE_SUPABASE_ANON_KEY match the dashboard and load in production.
-Netlify is correctly routing β UI loads, but auth API fails.
-Multiple auth flows fail β PKCE and password-based login both return 401.
-Have not tried rotating JWT signing key β doing so would break critical edge functions, so Iβm holding off.
-Support ticket already submitted β I'm a paid Pro user and awaiting a reply from the Supabase team.
π§ͺ What Iβve Tried (but didnβt fix it)
-Vite config tweaks
-Netlify redirect rules
-Circular dependency fixes
-UI cleanup
-RLS policy adjustments
-Bypassing custom edge functions
-Full project restart
(Details omitted here, but happy to provide full audit if needed.)
π§ Suspected Root Cause
Could this be tied to a bug related to the JWT signing key update? I suspect the Auth microservice is misconfigured or rejecting valid anon keys for grant_type=password flows β despite the same key working for DB operations.
π£ Ask
Can someone from the Supabase team please:
-Confirm if this could be infra-related?
-Help validate whether a migration or auth service reset is needed?
-Suggest any other safe debugging steps (short of rotating the JWT signing key)?
Weβre completely blocked in production. Grateful for any guidance β happy to DM logs or network traces if helpful.
Thanks in advance!
6 Replies
This is the console error I get when attempting to login to my app in production.
Check the auth logs in dashboard and see if there is more detail. It might show the key being used. Unless you enabled the new API keys they should not be involved.
it's a conundrum. logs show i'm successfully logged in/authenticated but the actual production auth page hits me with 'invalid api key'...and for the life of me I can't progress past the auth page. I've tried authenticating with different browsers, cleared cache/cookies but at this point I suspect this is a client side vs server side disconnect, UI state management problem or token issues.
Client-Side vs Server-Side Disconnect
- Server: Auth works, user authenticated
- Client: JavaScript can't read/process the auth state
- Auth redirect/callback might be broken
JWT Token Issues
- Token gets generated but client can't store/use it
- localStorage/sessionStorage might be blocked
- Complex storage logic in your client might be failing
UI State Management Problem
- User gets authenticated but React state doesn't update
- Auth context or session management is broken
- Page redirects aren't working after successful auth
So there is no 401 from the API Gateway log?
And you actually see the API key error or just 401?
i was able to fix it! wow. i had to rotate the keys....strange. I was never notified that this was needed proactively on my part given i thought this was opt-in .
thank you for chiming in, though. I really appreciate you spending time to help users!