Hi GoodData team, I'm having some issues authenticating with the JWTs I'm creating. I can see that the JWK was created and correctly uploaded to GoodData through your API. I'm trying to debug but just getting a 401 error back. I saw some earlier messages in the channels about more detailed error messages. Any ideas on this?

Hi Tim, we certainly are working to improve error messages. However, with your error that you see is there a related traceID that we can check our logs for?

I don't see a traceID as it's just coming back as a 401. Anything else I could provide?

hhhmmm.... there is nothing from the dev console or any other message we could use to identify the error? Have you followed all the steps correctly here: https://www.gooddata.com/docs/cloud/manage-organization/jwt-access-token/

I was following the javascript instructions but just tried with the basic ones.

curl --request GET \                              
  --header "Authorization: Bearer $signed_jwt" \
  --header 'Content-Type: application/vnd.gooddata.api+json' \
  $HOST_URL/api/v1/profile -v
Note: Unnecessary use of -X or --request, GET is already inferred.
*   Trying 54.225.116.104:443...
* Connected to <http://pushoperations.cloud.gooddata.com|pushoperations.cloud.gooddata.com> (54.225.116.104) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=<http://pushoperations.cloud.gooddata.com|pushoperations.cloud.gooddata.com>
*  start date: Apr 30 11:15:05 2024 GMT
*  expire date: Jul 29 11:15:04 2024 GMT
*  subjectAltName: host "<http://pushoperations.cloud.gooddata.com|pushoperations.cloud.gooddata.com>" matched cert's "<http://pushoperations.cloud.gooddata.com|pushoperations.cloud.gooddata.com>"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for <https://pushoperations.cloud.gooddata.com/api/v1/profile>
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: <http://pushoperations.cloud.gooddata.com|pushoperations.cloud.gooddata.com>]
* [HTTP/2] [1] [:path: /api/v1/profile]
* [HTTP/2] [1] [user-agent: curl/8.4.0]
* [HTTP/2] [1] [accept: */*]
* [HTTP/2] [1] [authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImQ0ZTYyMDNlLTdjYjMtNDc2My1hOTc4LTAwYmZmNjViZWMwZCJ9.eyJzdWIiOiIyNTQwOSIsIm5hbWUiOiJKb2huIERvZSIsImlhdCI6MTcxNTgwMDgwMCwiZXhwIjoxNzE1ODA0NDAzLCJqdGkiOiI1RUI4MUU0RC1GRDg0LTQ1N0YtODE2OS0wRTZDQTk5QzgyMTYifQ.pM6nZol46RK33ERft2hZq2S7F7ueJiBg6rZQPXjFpJgmt24KXC1Vvr5Tkx0VEMhECzJXDAv43kuko1_HTHQfMvwABIo1BZlmACkCP_jbfCEBFaR1qvFqL5Hj_Wcpfw9b5Rp85jiJOU6YNA-n9pOpaDSDAFBcsPVo9_aiKaTfZE3GJpP_sTlamLFvyTsPEtg9luiQSTUwN8FSqUBO4VDHG8edWAIK3knDXEn8mJwm0KreTi853INfbpEoLo6BS_nOoNNYxuF8SSpjZYAu_z2Cvr7_4rUkGsfIhSP3trG2MUI_4wi69Gejmg7PWJb6eMFqoPuiV8qI2VSytFs7wd1Dyw]
* [HTTP/2] [1] [content-type: application/vnd.gooddata.api+json]
> GET /api/v1/profile HTTP/2
> Host: <http://pushoperations.cloud.gooddata.com|pushoperations.cloud.gooddata.com>
> User-Agent: curl/8.4.0
> Accept: */*
> Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImQ0ZTYyMDNlLTdjYjMtNDc2My1hOTc4LTAwYmZmNjViZWMwZCJ9.eyJzdWIiOiIyNTQwOSIsIm5hbWUiOiJKb2huIERvZSIsImlhdCI6MTcxNTgwMDgwMCwiZXhwIjoxNzE1ODA0NDAzLCJqdGkiOiI1RUI4MUU0RC1GRDg0LTQ1N0YtODE2OS0wRTZDQTk5QzgyMTYifQ.pM6nZol46RK33ERft2hZq2S7F7ueJiBg6rZQPXjFpJgmt24KXC1Vvr5Tkx0VEMhECzJXDAv43kuko1_HTHQfMvwABIo1BZlmACkCP_jbfCEBFaR1qvFqL5Hj_Wcpfw9b5Rp85jiJOU6YNA-n9pOpaDSDAFBcsPVo9_aiKaTfZE3GJpP_sTlamLFvyTsPEtg9luiQSTUwN8FSqUBO4VDHG8edWAIK3knDXEn8mJwm0KreTi853INfbpEoLo6BS_nOoNNYxuF8SSpjZYAu_z2Cvr7_4rUkGsfIhSP3trG2MUI_4wi69Gejmg7PWJb6eMFqoPuiV8qI2VSytFs7wd1Dyw
> Content-Type: application/vnd.gooddata.api+json
> 
< HTTP/2 401 
< date: Wed, 15 May 2024 22:10:20 GMT
< content-length: 0
< vary: Origin
< vary: Access-Control-Request-Method
< vary: Access-Control-Request-Headers
< www-authenticate: Bearer error="invalid_token", error_description="We are unable to verify signature.", error_uri="<https://tools.ietf.org/html/rfc6750#section-3.1>"
< cache-control: no-cache, no-store, max-age=0, must-revalidate
< pragma: no-cache
< expires: 0
< x-content-type-options: nosniff
< strict-transport-security: max-age=63072000; includeSubDomains
< x-xss-protection: 1 ; mode=block
< referrer-policy: no-referrer
< 
* Connection #0 to host <http://pushoperations.cloud.gooddata.com|pushoperations.cloud.gooddata.com> left intact

I think the invalid token error is in reference to the:

--header "Authorization: Bearer $API_TOKEN"

Could you double check you are authenticating correctly with the header?

Seems to have been a different issue as I was using the

$signed_token

as in the example. Got it all fixed up now