inviteUserByEmail invalidJWTError
In local, getting this error calling inviteUserByEmail via new SB secret key.
Error: Failed to invite user: invalid JWT: unable to parse or verify signature, token is malformed: token contains an invalid number of segments
19 Replies
Make sure you are on latest CLI version.
There have been several fixes recently to get the new SB keys to work.
On v2.51.
That should have been good enough for auth/DB to to work with the keys.
Are other operations working?
Yea other stuff seems to work. I was the same guy who was having issues with my "admin" schema but all that works now
Also can invite users from Studio - auth page by email, goes to mail pit
The error you have seems way before it gets to anything dealing with the database.
That is usually not having a JWT in the authorization header which the CLI fixed a month or so ago to convert the sb_secret... key to service_role. Before that fix your error is the type of thing that would happen as if the sb_secret.... text key goes in the Authorization header then it is not a valid JWT.
How are you calling it?
Are you sure you have the client set correctly for the apikey?
This time the code is a lot simple, so hopelly I did not make a mistake here lol
I use the same createAdminClient for a bunch of other stuff, so can confirm it does work.
The error is coming back in inviteError?
Yep:
Server Action Error - Inviting user: invalid JWT: unable to parse or verify signature, token is malformed: token contains an invalid number of segments
if (inviteError) {
console.error(
'Server Action Error - Inviting user:',
inviteError.message
);
return { error:
Failed to invite user: ${inviteError.message} };
}I would log your secret key to make sure when you call createAdmin right before this call it is correct.
I can't think of a reason that call would care as the conversion from sb_secret to service_role is done at a higher level in the REST process. And I can't think of how another JWT would be involved.
Also you might check the dashboard auth logs to see if it is getting there with same error.
Will do, let me try that. Yea very odd. Re logs, I did check auth logs, its teh same error
I can't test it as they now ban the secret key in a browser and that it my only quick test platform. But it would be pretty remote this one particular auth call is generating it based on the secret versus the API gateway.
Hmm I restarted Supabase and got this:
WARNING: You are running different service versions locally than your linked project:
supabase/gotrue:v2.176.1 => v2.180.0
Yea I did log the key, seems fine. Yea very odd.
Sorry, you are now in something I have no idea on. I don't do local or server dev.
All good. Could be an odd local only issue. Thanks for trying to help anyway!
I would try another auth admin call as a test.
I would try hard coding the real service_role key (legacy) as a test to rule out some other JWT being involved.
Will do, yea imma try that next, get the old service_role key and see if it works as it did work before. Thanks again for helping man
Just confirming, I just created the below function, everything works fine with it.
export function createAdminClientServiceRole() {
// Create a client with secret key for admin access
// Note: This should only be used in secure server environments
return createClient(
process.env.NEXT_PUBLIC_SUPABASE_URL!,
process.env.SUPABASE_SERVICE_ROLE_KEY!, // Use secret key
{
auth: {
autoRefreshToken: false,
persistSession: false,
detectSessionInUrl: false,
},
}
);
}
For what it is worth:
I do have a quick way to run server code... in an edge function and the call works fine on hosted with sb_secret....
This really points to something with your CLI version or you don't have the sb_secret key there. That seems mitigated by you saying this admin client works in other places as far as CLI version goes (unless you are overriding the client with a user session).
Thank you for helping me test. Yea I think in a bit, I might just push to production and see if it works there, if it does, I'll just ignore local for now.
Just to report back, I switched to new JWT signing keys and pushed my changes to prod using the latest supabase-js. Both realtime subscriptions and inviteUserByEmail works perfectly.
Super odd. I'm going to use a hack to use the service_role_key in local CLI and hope that it's an odd error in CLI that will resolve itself.
Thank you again for helping out