VAPI•8mo ago

JWT validation fails and unclear documentation

I've asked a few weeks ago about JWT creation for the webclient, it still seems to be broken. Aside from that the docs seem to have changed and they are now linking to an non existing page.
https://docs.vapi.ai/customization/jwt-authentication

The code:

        const payload = {
          orgId: process.env.VAPI_ORG_ID,
          // This is the scope of the token
          token: {
            tag: 'public',
            restrictions: {
              enabled: process.env.NODE_ENV !== 'development',
              allowedOrigins: [process.env.NEXT_PUBLIC_APP_URL],
              allowedAssistantIds: [assistant.vapiId],
              allowTransientAssistant: false,
            },
          },
        }
        // Get the private key from environment variables
        const key = new TextEncoder().encode(process.env.VAPI_PRIVATE_KEY)

        // Generate the token using a JWT library or built-in functionality
        const token = await new SignJWT(payload)
          .setProtectedHeader({ alg: 'HS256' })
          .setExpirationTime('1h')
          .sign(key)

        const payload = {
          orgId: process.env.VAPI_ORG_ID,
          // This is the scope of the token
          token: {
            tag: 'public',
            restrictions: {
              enabled: process.env.NODE_ENV !== 'development',
              allowedOrigins: [process.env.NEXT_PUBLIC_APP_URL],
              allowedAssistantIds: [assistant.vapiId],
              allowTransientAssistant: false,
            },
          },
        }
        // Get the private key from environment variables
        const key = new TextEncoder().encode(process.env.VAPI_PRIVATE_KEY)

        // Generate the token using a JWT library or built-in functionality
        const token = await new SignJWT(payload)
          .setProtectedHeader({ alg: 'HS256' })
          .setExpirationTime('1h')
          .sign(key)

        const payload = {
          orgId: process.env.VAPI_ORG_ID,
          // This is the scope of the token
          token: {
            tag: 'public',
            restrictions: {
              enabled: process.env.NODE_ENV !== 'development',
              allowedOrigins: [process.env.NEXT_PUBLIC_APP_URL],
              allowedAssistantIds: [assistant.vapiId],
              allowTransientAssistant: false,
            },
          },
        }
        // Get the private key from environment variables
        const key = new TextEncoder().encode(process.env.VAPI_PRIVATE_KEY)

        // Generate the token using a JWT library or built-in functionality
        const token = await new SignJWT(payload)
          .setProtectedHeader({ alg: 'HS256' })
          .setExpirationTime('1h')
          .sign(key)

        const payload = {
          orgId: process.env.VAPI_ORG_ID,
          // This is the scope of the token
          token: {
            tag: 'public',
            restrictions: {
              enabled: process.env.NODE_ENV !== 'development',
              allowedOrigins: [process.env.NEXT_PUBLIC_APP_URL],
              allowedAssistantIds: [assistant.vapiId],
              allowTransientAssistant: false,
            },
          },
        }
        // Get the private key from environment variables
        const key = new TextEncoder().encode(process.env.VAPI_PRIVATE_KEY)

        // Generate the token using a JWT library or built-in functionality
        const token = await new SignJWT(payload)
          .setProtectedHeader({ alg: 'HS256' })
          .setExpirationTime('1h')
          .sign(key)

The JWT validates correctly using the private key, however from the vapi api we receive:

{"message":"Couldn't verify JWT.","error":"Unauthorized","statusCode":401}

{"message":"Couldn't verify JWT.","error":"Unauthorized","statusCode":401}

{"message":"Couldn't verify JWT.","error":"Unauthorized","statusCode":401}

{"message":"Couldn't verify JWT.","error":"Unauthorized","statusCode":401}

It would really help if the docs were complete and include working demo's or examples.

Vapi Support BotAPP•5/6/25, 3:56 PM

Based on your error message, this is likely a key mismatch issue. Try verifying your private key:

// Make sure you're using the correct private key format
// Vapi might be expecting a different format than what you're providing
const key = process.env.VAPI_PRIVATE_KEY
  .replace(/\\n/g, '\n')  // Handle any escaped newlines
  .trim();

// Then use it without TextEncoder
const token = await new SignJWT(payload)
  .setProtectedHeader({ alg: 'HS256' })
  .setExpirationTime('1h')
  .sign(Buffer.from(key, 'utf-8'))  // Or appropriate format

// Make sure you're using the correct private key format
// Vapi might be expecting a different format than what you're providing
const key = process.env.VAPI_PRIVATE_KEY
  .replace(/\\n/g, '\n')  // Handle any escaped newlines
  .trim();

// Then use it without TextEncoder
const token = await new SignJWT(payload)
  .setProtectedHeader({ alg: 'HS256' })
  .setExpirationTime('1h')
  .sign(Buffer.from(key, 'utf-8'))  // Or appropriate format

You can also verify your JWT at jwt.io to ensure it's correctly formatted.

Sources:

⤵️ Mention @Vapi Support Bot for follow-ups 🐥

extreme-purple•5/6/25, 6:03 PM

The 401 error may be due to an incorrect authorization header format, expired token, or signature mismatch, ensure your JWT is correctly formatted with the Bearer prefix, not expired, and signed with the correct key and algorithm..

rubber-blueOP•5/6/25, 7:37 PM

I checked all that ofcourse, the payload is signed correctly. The algorithm is correct i believe, but like i said the docs are missing all this information

verbal-lime•5/7/25, 6:36 AM

Same issue here - would be great to have an update. thanks

SarthakAPP•5/10/25, 10:44 PM

If you’re still getting a 401 error despite a correct JWT, ensure your Authorization header uses the exact Bearer token format, claims like iss and aud match Vapi’s expectations, the algorithm and signing key are correct, your server’s clock is synced. If you follow those instructions and still face issues, feel free to reach out.

still-lime•5/12/25, 5:16 AM

getting the same issue, funny thing is it was working until 2 days ago then suddenly stopped + the jwt docs are gone so no clue how to fix it either

still-lime•5/12/25, 5:20 AM

cant test locally cus it wont let me add localhost as an allowed oriign

SarthakAPP•5/14/25, 10:26 PM

Sorry about the confusion with the documentation link; it seems to be broken. Please use the direct documentation for generating and validating JWTs for your setup. Make sure your JWT payload includes a

token

token

object and the correct scope (

public

public

or privateprivate), as missing scopes can lead to issues. If you continue experiencing issues, check your environment variables to ensure ORG_IDORG_ID and PRIVATE_KEYPRIVATE_KEY are accurately set. If you need any more help, feel free to ask.

rubber-blueOP•5/21/25, 2:06 PM

Thanks for fixing the link to the docs, however after over one month of trying to get this to work, i still don't have a solution.

Tried different JWT libraries, all same result...

The JWT is correct and can be verified using the orgs private key.

Please just add a fully working example into the docs or add a jwt method into the node client to resolve this once and for all.

rubber-blueOP•5/21/25, 2:06 PM

@Kings_big

SarthakAPP•5/22/25, 4:30 AM

const jwt = require('jsonwebtoken'); // Switch to jsonwebtoken

// Clean any potential formatting issues in the key
const privateKey = process.env.VAPI_PRIVATE_KEY.trim(); 

const payload = {
  orgId: process.env.VAPI_ORG_ID,
  token: {
    tag: 'public',
    restrictions: {
      enabled: true,
      allowedOrigins: [process.env.NEXT_PUBLIC_APP_URL],
      allowedAssistantIds: [assistant.vapiId],
      allowTransientAssistant: false,
    },
  }
};

// Use same library/approach as Vapi backend
const token = jwt.sign(payload, privateKey, { 
  algorithm: 'HS256',
  expiresIn: '1h' 
});

const jwt = require('jsonwebtoken'); // Switch to jsonwebtoken

// Clean any potential formatting issues in the key
const privateKey = process.env.VAPI_PRIVATE_KEY.trim(); 

const payload = {
  orgId: process.env.VAPI_ORG_ID,
  token: {
    tag: 'public',
    restrictions: {
      enabled: true,
      allowedOrigins: [process.env.NEXT_PUBLIC_APP_URL],
      allowedAssistantIds: [assistant.vapiId],
      allowTransientAssistant: false,
    },
  }
};

// Use same library/approach as Vapi backend
const token = jwt.sign(payload, privateKey, { 
  algorithm: 'HS256',
  expiresIn: '1h' 
});

This approach matches Vapi's internal JWT generation and verification exactly as required.

SarthakAPP•5/22/25, 4:30 AM

Let me know how it goes.

rubber-blueOP•5/29/25, 7:59 AM

thanks @Shubham Bajaj i've tried jsonwebtoken as well, i believe the same settings without success, but will give it another go

SarthakAPP•5/29/25, 9:28 PM

Hey Eeloc, a gentle reminder to continue this thread.

JWT validation fails and unclear documentation

Similar Threads

Similar Threads

Similar Threads