Aldraz•3w ago

SystemAPI doesn't work in v4.3.0

Following this tutorial no longer works: https://zitadel.com/docs/guides/integrate/zitadel-apis/access-zitadel-system-api I tried all kinds of things.. but can't manage to use the AddCustomDomain API.. it always gives me this error:

--- ERROR ---
Status Code: 401
Error Message: {"code":"unauthenticated","message":"Errors.Token.Invalid (AUTH-7fs1e)","details":[{"type":"zitadel.v1.ErrorDetail","value":"CgpBVVRILTdmczFlEhRFcnJvcnMuVG9rZW4uSW52YWxpZA","debug":{"id":"AUTH-7fs1e","message":"Errors.Token.Invalid"}}]}
Error Details (JSON): {
  "code": "unauthenticated",
  "message": "Errors.Token.Invalid (AUTH-7fs1e)",
  "details": [
    {
      "type": "zitadel.v1.ErrorDetail",
      "value": "CgpBVVRILTdmczFlEhRFcnJvcnMuVG9rZW4uSW52YWxpZA",
      "debug": {
        "id": "AUTH-7fs1e",
        "message": "Errors.Token.Invalid"
      }
    }
  ]
}

--- ERROR ---
Status Code: 401
Error Message: {"code":"unauthenticated","message":"Errors.Token.Invalid (AUTH-7fs1e)","details":[{"type":"zitadel.v1.ErrorDetail","value":"CgpBVVRILTdmczFlEhRFcnJvcnMuVG9rZW4uSW52YWxpZA","debug":{"id":"AUTH-7fs1e","message":"Errors.Token.Invalid"}}]}
Error Details (JSON): {
  "code": "unauthenticated",
  "message": "Errors.Token.Invalid (AUTH-7fs1e)",
  "details": [
    {
      "type": "zitadel.v1.ErrorDetail",
      "value": "CgpBVVRILTdmczFlEhRFcnJvcnMuVG9rZW4uSW52YWxpZA",
      "debug": {
        "id": "AUTH-7fs1e",
        "message": "Errors.Token.Invalid"
      }
    }
  ]
}

ZITADEL Docs

This guide focuses on the ZITADEL System API. To access the other APIs (Admin, Auth, Management), please checkout this guide.

1 Reply

Ask Inkeep•3w ago

Hi @Aldraz, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question. Answer The AUTH-7fs1e error indicates an invalid token issue with System API authentication. Based on community reports, there are several common causes for this error: Key troubleshooting steps: 1. Include the correct port in your JWT audience - The audience must match exactly what ZITADEL resolves to, including any port number (1) . For example, if your ZITADEL instance runs on port 8080, use:

   zitadel-tools key2jwt \
     --key system-user-1.pem \
     --issuer system-user-1 \
     --audience <https://zitadel.domain.com:8080>

   zitadel-tools key2jwt \
     --key system-user-1.pem \
     --issuer system-user-1 \
     --audience <https://zitadel.domain.com:8080>

2. Verify your System API user configuration - Ensure your public key is properly loaded in the SystemAPIUsers configuration . The key should be base64-encoded and properly indented in your configuration. 3. Check JWT claims - Your JWT must include the correct iss, sub, aud, iat, and exp claims . The iss and sub should match your system user name. 4. Key format issues - If using zitadel-tools, you may need to generate your RSA key with the --traditional flag (2) :

   openssl genrsa --traditional -out system-user-1.pem 2048

   openssl genrsa --traditional -out system-user-1.pem 2048

The error you're seeing is commonly reported when the JWT audience doesn't match the ZITADEL instance URL exactly, particularly when a port number is required but not included (1) . If you continue having issues after checking these items, please click the "Ask for help" button to tag a team member for further assistance. To learn more, see the sources I considered: [1] JWT auth fails when adding custom domain [2] Zitadel Executing System API Call Feel free to tag @Ask Inkeep with additional questions.

SystemAPI doesn't work in v4.3.0

Did you find this page helpful?