Supabase Auth /auth/v1/signup returns 401 “Invalid API key” despite correct project URL and key
Are there known cases where a dashboard-shown legacy anon (JWT) or the new publishable key is rejected by the API Gateway with “Invalid API key” for Auth, even though project URL and origin are correct?
Any guidance on resolving the “Invalid API key” for Auth with a valid client key would be appreciated.
Environment
Library: @supabase/supabase-js v2.76.0
App: React 18 + TypeScript + Vite (Tailwind)
Origin: http://localhost:5173
OS/Browser: Windows 10, Chrome 141 (Incognito, no extensions)
Summary
Using a valid client key (legacy anon, length 208, starts with eyJ...), the Auth endpoint /auth/v1/signup consistently returns 401 with {"message":"Invalid API key"}.
Initial browser attempts hit Cloudflare 403 HTML; after removing manual headers and retrying, curl proves 401 from Auth (so not a CORS issue).
Site URL and Redirect URLs are configured per docs.
Repro steps
Initialize client with project URL + client key (legacy anon).
Call supabase.auth.signUp({ email, password }) from the React app.
Also reproduce with direct curl to /auth/v1/signup.
Expected
200/400 JSON from Auth; successful signup using the project’s client key.
Actual
Browser: 403 (Cloudflare HTML) earlier; after cleanup, still fails to sign up.
curl (from same machine): 401 with “Invalid API key”.
What I’ve tried
Keys
Legacy anon (length 208, eyJ...); also tried the new publishable (sbpublishable...).
Re-copied via Dashboard copy button; ensured single-line, no quotes/spaces.
Restarted dev server; console confirms keyLength: 208, preview eyJh...
Client
Removed manual global headers; rely on SDK defaults.
flowType: 'pkce', persistSession: true, localStorage.
Auth URL config
Site URL: http://localhost:5173 (no trailing slash)
Redirect URLs: http://localhost:5173/**
Network/browser
Chrome desktop (no device emulation), Incognito, no extensions.
Any guidance on resolving the “Invalid API key” for Auth with a valid client key would be appreciated.
Environment
Library: @supabase/supabase-js v2.76.0
App: React 18 + TypeScript + Vite (Tailwind)
Origin: http://localhost:5173
OS/Browser: Windows 10, Chrome 141 (Incognito, no extensions)
Summary
Using a valid client key (legacy anon, length 208, starts with eyJ...), the Auth endpoint /auth/v1/signup consistently returns 401 with {"message":"Invalid API key"}.
Initial browser attempts hit Cloudflare 403 HTML; after removing manual headers and retrying, curl proves 401 from Auth (so not a CORS issue).
Site URL and Redirect URLs are configured per docs.
Repro steps
Initialize client with project URL + client key (legacy anon).
Call supabase.auth.signUp({ email, password }) from the React app.
Also reproduce with direct curl to /auth/v1/signup.
Expected
200/400 JSON from Auth; successful signup using the project’s client key.
Actual
Browser: 403 (Cloudflare HTML) earlier; after cleanup, still fails to sign up.
curl (from same machine): 401 with “Invalid API key”.
What I’ve tried
Keys
Legacy anon (length 208, eyJ...); also tried the new publishable (sbpublishable...).
Re-copied via Dashboard copy button; ensured single-line, no quotes/spaces.
Restarted dev server; console confirms keyLength: 208, preview eyJh...
Client
Removed manual global headers; rely on SDK defaults.
flowType: 'pkce', persistSession: true, localStorage.
Auth URL config
Site URL: http://localhost:5173 (no trailing slash)
Redirect URLs: http://localhost:5173/**
Network/browser
Chrome desktop (no device emulation), Incognito, no extensions.
