invalid JWT: unable to parse or verify signature, token signature is invalid
self-hostedA couple of days ago, I raised an issue where our API was failing with the following error:
"invalid JWT: unable to parse or verify signature, token signature is invalid: signing method HS256 is invalid."
As an immediate workaround (since we were in production), someone suggested setting verify_jwt = false in config.toml. This temporarily fixed the issue.
However, after some time, the same issue started occurring in our frontend as well. I raised this in the Supabase repository, and I was advised to generate a new SERVICE_ROLE_KEY using the command:
supabase status -o env
After updating the Service Role Key in the frontend, the JWT issue was resolved and everything started working correctly.
Now, we are facing a security concern because verify_jwt = false is still set in config.toml.
Additionally, I noticed that Deno.env.get("SUPABASE_SERVICE_ROLE_KEY") is still returning the old Service Role Key.
Can someone please guide me on:
1. How to safely re-enable verify_jwt = true while ensuring everything continues to work as before?
2. Why the old SUPABASE_SERVICE_ROLE_KEY is still being returned?
3. How to properly update the Service Role Key so that the latest value is used?
Any help would be appreciated.
"invalid JWT: unable to parse or verify signature, token signature is invalid: signing method HS256 is invalid."
As an immediate workaround (since we were in production), someone suggested setting verify_jwt = false in config.toml. This temporarily fixed the issue.
However, after some time, the same issue started occurring in our frontend as well. I raised this in the Supabase repository, and I was advised to generate a new SERVICE_ROLE_KEY using the command:
supabase status -o env
After updating the Service Role Key in the frontend, the JWT issue was resolved and everything started working correctly.
Now, we are facing a security concern because verify_jwt = false is still set in config.toml.
Additionally, I noticed that Deno.env.get("SUPABASE_SERVICE_ROLE_KEY") is still returning the old Service Role Key.
Can someone please guide me on:
1. How to safely re-enable verify_jwt = true while ensuring everything continues to work as before?
2. Why the old SUPABASE_SERVICE_ROLE_KEY is still being returned?
3. How to properly update the Service Role Key so that the latest value is used?
Any help would be appreciated.
