Auth Troubleshooting
"Authentication not configured" Error
Cause: Missing AUTH_SECRET when using Auth.js mode.
Solution:
bash
openssl rand -base64 32
npx wrangler secret put AUTH_SECRET"Invalid JWT signature" Error (Cloudflare Access)
Cause: Incorrect CF_ACCESS_CERTS_URL or CF_ACCESS_AUD.
Solution:
- Verify team name in certs URL:
https://YOUR_TEAM.cloudflareaccess.com/cdn-cgi/access/certs - Verify audience tag in Zero Trust Dashboard under application overview
- Check Workers logs for detailed JWT validation errors:
npx wrangler tail
"MissingCSRF" Error (Auth.js)
Cause: CSRF token not properly fetched or expired.
Solution:
- Ensure login page fetches
/auth/csrfbefore form submission - Check browser console for CORS errors
- Verify
credentials: 'include'in fetch requests - Clear browser cookies and try again
Login Redirects to Homepage Instead of App
Cause: Redirect callback not configured in Auth.js.
Solution: Already fixed in code - redirects to /app after successful authentication.
API Key Returns 401 Unauthorized
Cause: Invalid API key, expired, or revoked.
Solution:
- Verify API key is correct (check for typos)
- Check expiration date in dashboard
- Verify key has required scopes for operation
- Check IP whitelist if configured
- Generate new API key if needed
"Not authenticated" on /_auth-check
Cause: Session cookie missing or invalid.
Solution:
- Check browser cookies for
authjs.session-tokenorCF_Authorization - Verify
AUTH_MODEis set correctly - For Cloudflare Access, ensure user passed Zero Trust authentication
- For Auth.js, ensure user logged in through
/login - Check Workers logs for detailed authentication errors
CORS Errors on Auth Requests
Cause: Frontend and API on different origins without proper CORS configuration.
Solution:
- Development: Ensure
VITE_API_URL=http://localhost:8787in frontend.env - Production: Ensure API is served from
/apipath orAPP_HOSTis configured correctly - Check API CORS middleware allows frontend origin