Neymar is dood
Neymar is dood2mo ago

Service User - Oauth token fetch Fails with 500 Internal Error

Use-case: A multitenant SaaS solution where a tenant superuser can manage users from their own application through the SaaS platform. The Admin API will be handled via my Service account and it will manage the users on the super user's request Environment: Zitadel Cloud Version: V2 (for the Admin API requests) Stack: Python + React I want to test my service account for which I granted all rights at the instance level. See screenshot. I'm following the guide described in https://zitadel.com/docs/guides/integrate/service-users/private-key-jwt I succeed in creating the JWT but as soon as I request the Oauth token, I get a 500. If my credentials were wrong, I would expect a 4XX. 
Response status: 500
Response headers: {'cache-control': 'no-store', 'content-type': 'application/json', 'expires': 'Wed, 16 Jul 2025 07:36:49 GMT', 'pragma': 'no-cache', 'set-cookie': '__Host-zitadel.useragent=MTc1MjY1NTAwOXx4eVNOYTJLMm5CeUZTRndJc3NLS1FyNHdpQzc3eFlwVVk4SHdFNmRFRWkxVEhGNjdqTDJyczZ0aV9lVmxiZmhiaDB5OVpWbkFEN2Q1SE95ZVZEeDZSak81bUdlc2FRPT18GQZ2SRQNVYR0tlLxT0KgteGZkzrpjnZKEz2t4thNUBE=; Path=/; Max-Age=31536000; HttpOnly; Secure; SameSite=None, zitadel.quota.exhausted=; Path=/; Max-Age=0; SameSite=Lax', 'vary': 'Origin,Cookie', 'x-robots-tag': 'none', 'content-length': '63', 'date': 'Wed, 16 Jul 2025 08:36:49 GMT', 'server': 'Google Frontend', 'traceparent': '00-32ebc9e7e38f5ba6c18ad48af5014918-abcec5a3877d2b7e-00', 'x-cloud-trace-context': '32ebc9e7e38f5ba6c18ad48af5014918/12380049731831540606', 'via': '1.1 google', 'strict-transport-security': 'max-age=63072000; includeSubDomains; preload', 'x-cache-hit': 'uncacheable', 'alt-svc': 'h3=":443"; ma=2592000,h3-29=":443"; ma=2592000'}

Response: {"error":"server_error","error_description":"Errors.Internal"}
Response status: 500
Response headers: {'cache-control': 'no-store', 'content-type': 'application/json', 'expires': 'Wed, 16 Jul 2025 07:36:49 GMT', 'pragma': 'no-cache', 'set-cookie': '__Host-zitadel.useragent=MTc1MjY1NTAwOXx4eVNOYTJLMm5CeUZTRndJc3NLS1FyNHdpQzc3eFlwVVk4SHdFNmRFRWkxVEhGNjdqTDJyczZ0aV9lVmxiZmhiaDB5OVpWbkFEN2Q1SE95ZVZEeDZSak81bUdlc2FRPT18GQZ2SRQNVYR0tlLxT0KgteGZkzrpjnZKEz2t4thNUBE=; Path=/; Max-Age=31536000; HttpOnly; Secure; SameSite=None, zitadel.quota.exhausted=; Path=/; Max-Age=0; SameSite=Lax', 'vary': 'Origin,Cookie', 'x-robots-tag': 'none', 'content-length': '63', 'date': 'Wed, 16 Jul 2025 08:36:49 GMT', 'server': 'Google Frontend', 'traceparent': '00-32ebc9e7e38f5ba6c18ad48af5014918-abcec5a3877d2b7e-00', 'x-cloud-trace-context': '32ebc9e7e38f5ba6c18ad48af5014918/12380049731831540606', 'via': '1.1 google', 'strict-transport-security': 'max-age=63072000; includeSubDomains; preload', 'x-cache-hit': 'uncacheable', 'alt-svc': 'h3=":443"; ma=2592000,h3-29=":443"; ma=2592000'}

Response: {"error":"server_error","error_description":"Errors.Internal"}
Attached, you can find my Python script that I used for debugging. Is there a way for me to see the server logs to understand the "Errors.Internal" ? Could there be an issue at Zitadel's side?
No description

test_zitadel_jwt.py

16 Replies
Rajat
Rajat2mo ago
hi @Neymar is dood I see this 
     data = {
            "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
            "scope": "'openid urn:zitadel:iam:org:project:id:zitadel:aud'",
            "assertion": jwt_token,
        }
     data = {
            "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
            "scope": "'openid urn:zitadel:iam:org:project:id:zitadel:aud'",
            "assertion": jwt_token,
        }
I see double quotes followed by single quotes here "scope": "'openid urn:zitadel:iam:org:project:id:zitadel:aud'", can you please change it to "scope": "openid urn:zitadel:iam:org:project:id:zitadel:aud" and try again?. Please let me know. Thanks
Neymar is dood
Neymar is doodOP2mo ago
Hey @Rajat Thanks for looking into it. I just tried, but this does not change anything. Note that I also print out the CURL command, and this gives the same result. Eg: (with redacted token) 
curl --request POST \
  --url https://kingfishx-api-test-dy2rqz.us1.zitadel.cloud/oauth/v2/token \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer \
  --data scope='openid urn:zitadel:iam:org:project:id:zitadel:aud' \
  --data assertion=eyJhbGciOiJSUzI1NiIsImtpZCI6IjMyOTAyODAxODIzNDI0NjQyNiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiIzMjkwMjY4ODA0NzA1NjYxNzAiLCJzdWIiOiIzMjkwMjY4ODA0NzA....lEPB3KO73jjgBHyJpiyGrElQa2MLtNm-5rjhzgla2IMC-UU6DG_op_k_KM0MCth-WcKJC_gE6jOolJ_4z_GT2difpS__W8Zq7qzpxfl3KN7iMuHI3gvLBOIgBhSv_QHGwbOsn7ytWD_jGaZ2MUUaYBbFg0QMQOZrxLzwV6O9JlJYP63wfw
curl --request POST \
  --url https://kingfishx-api-test-dy2rqz.us1.zitadel.cloud/oauth/v2/token \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer \
  --data scope='openid urn:zitadel:iam:org:project:id:zitadel:aud' \
  --data assertion=eyJhbGciOiJSUzI1NiIsImtpZCI6IjMyOTAyODAxODIzNDI0NjQyNiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiIzMjkwMjY4ODA0NzA1NjYxNzAiLCJzdWIiOiIzMjkwMjY4ODA0NzA....lEPB3KO73jjgBHyJpiyGrElQa2MLtNm-5rjhzgla2IMC-UU6DG_op_k_KM0MCth-WcKJC_gE6jOolJ_4z_GT2difpS__W8Zq7qzpxfl3KN7iMuHI3gvLBOIgBhSv_QHGwbOsn7ytWD_jGaZ2MUUaYBbFg0QMQOZrxLzwV6O9JlJYP63wfw
Rajat
Rajat2mo ago
ah okay, sure , are authenticating with a Service User, correct?
Neymar is dood
Neymar is doodOP2mo ago
Yes. That's the one from the screenshot. But even if I would use the wrong user, shouldn't this give a 4XX instead of a 500?
Rajat
Rajat2mo ago
hey @Neymar is dood I looked more and it seems like a known issue https://github.com/zitadel/zitadel/issues/9745 would be nice if you can update your findings here
Neymar is dood
Neymar is doodOP2mo ago
It's very close. But not exactely the same as it's for a "not Service User" See:
5. An error is returned If the same process is used to sign a token using the private key downloaded for a service user, the request works as expected
But I can add it there.
Rajat
Rajat2mo ago
yes please update the issue
Neymar is dood
Neymar is doodOP2mo ago
Do you know if I can see some server side logs somewhere?
Rajat Singh
Rajat Singh2mo ago
Hey @Neymar is dood good morning! Unfortunately you can't access server side logs. Monitoring and log analysis are ONLY be viewed internally by the devs at Zitadel. The only things you as a user can do is access Audit Log and Events API.
Rafael
Rafael2mo ago
I see the same problem, I'm using pulumi zitadel provider, that used to work and wasn't upgraded recently unlike the GH issue, it's a service user
Rajat
Rajat2mo ago
hey @Rafael can you pls open a new issue: https://discord.com/channels/927474939156643850/1309166758699208785 I will take a look at it
Neymar is dood
Neymar is doodOP2mo ago
@Rafael can comment on https://github.com/zitadel/zitadel/issues/9745 too? this will give at a bit more tracktion
GitHub
[Bug]: Token endpoint returns 500 for Private Key JWT using API app...
Preflight Checklist I could not find a solution in the documentation, the existing issues or discussions I have joined the ZITADEL chat Environment ZITADEL Cloud Version v2.70.8 Database None Datab...
FriendlyForeignAgent
FriendlyForeignAgent2mo ago
I had/ have the same issue. My comment is on https://github.com/zitadel/zitadel/issues/9745
GitHub
[Bug]: Token endpoint returns 500 for Private Key JWT using API app...
Preflight Checklist I could not find a solution in the documentation, the existing issues or discussions I have joined the ZITADEL chat Environment ZITADEL Cloud Version v2.70.8 Database None Datab...
FriendlyForeignAgent
FriendlyForeignAgent2mo ago
Just an update, it turned out to be a skill issue. All resolved now.
Rajat
Rajat2mo ago
hi @FriendlyForeignAgent good morning, could you please elaborate what did you do to solve it?. Seems like few others in the thread had the same issue
Neymar is dood
Neymar is doodOP2mo ago
@Rafael I can no longer reproduce my issue. See screenshot for the "fix"
No description

Did you find this page helpful?