JWT auth fails when adding custom domain

Hi everyone

I deployed a ZITADEL v3.3.0 instance to my K8s cluster using the Helm Chart and now want to configure a custom domain.

From what I found, this must be done via the API (no UI anymore?) — is that correct?

I tried the

AddCustomDomain

AddCustomDomain

endpoint, using the ResourceID from

/ui/console/instance?id=organizations

/ui/console/instance?id=organizations

as the

instanceID

instanceID

, but got:

{"code": 5, "message": "Not Found"}

{"code": 5, "message": "Not Found"}

I also tested the old API with no success.

For auth, I followed the System API guide, created a system user, and generated a JWT with:

zitadel-tools key2jwt \
  --audience=https://zitadel.domain.com \
  --key=system-user-1.pem \
  --issuer=system-user-1

zitadel-tools key2jwt \
  --audience=https://zitadel.domain.com \
  --key=system-user-1.pem \
  --issuer=system-user-1

Since I couldn’t mount the key in Helm, I base64-encoded the public key and added it under

keyData

keyData

, then ran

helm upgrade

helm upgrade

.

The docs mention this JWT approach is for "test" purposes, so I’m unsure if it works for production. When I tried listing instances:

curl --request POST \
  --url https://zitadel.domain.com/system/v1/instances/_search \
  --header 'Authorization: Bearer ey...' \
  --header 'Content-Type: application/json'

curl --request POST \
  --url https://zitadel.domain.com/system/v1/instances/_search \
  --header 'Authorization: Bearer ey...' \
  --header 'Content-Type: application/json'

...I received:

{
  "code": 16,
  "message": "Errors.Token.Invalid (AUTH-7fs1e)"
}

{
  "code": 16,
  "message": "Errors.Token.Invalid (AUTH-7fs1e)"
}

Am I missing something with the token, audience, or signing?

Appreciate any help!

JWT auth fails when adding custom domain

Similar Threads