SystemAPI doesn't work in v4.3.0

Following this tutorial no longer works:
https://zitadel.com/docs/guides/integrate/zitadel-apis/access-zitadel-system-api

I tried all kinds of things.. but can't manage to use the AddCustomDomain API.. it always gives me this error:

--- ERROR ---
Status Code: 401
Error Message: {"code":"unauthenticated","message":"Errors.Token.Invalid (AUTH-7fs1e)","details":[{"type":"zitadel.v1.ErrorDetail","value":"CgpBVVRILTdmczFlEhRFcnJvcnMuVG9rZW4uSW52YWxpZA","debug":{"id":"AUTH-7fs1e","message":"Errors.Token.Invalid"}}]}
Error Details (JSON): {
  "code": "unauthenticated",
  "message": "Errors.Token.Invalid (AUTH-7fs1e)",
  "details": [
    {
      "type": "zitadel.v1.ErrorDetail",
      "value": "CgpBVVRILTdmczFlEhRFcnJvcnMuVG9rZW4uSW52YWxpZA",
      "debug": {
        "id": "AUTH-7fs1e",
        "message": "Errors.Token.Invalid"
      }
    }
  ]
}

--- ERROR ---
Status Code: 401
Error Message: {"code":"unauthenticated","message":"Errors.Token.Invalid (AUTH-7fs1e)","details":[{"type":"zitadel.v1.ErrorDetail","value":"CgpBVVRILTdmczFlEhRFcnJvcnMuVG9rZW4uSW52YWxpZA","debug":{"id":"AUTH-7fs1e","message":"Errors.Token.Invalid"}}]}
Error Details (JSON): {
  "code": "unauthenticated",
  "message": "Errors.Token.Invalid (AUTH-7fs1e)",
  "details": [
    {
      "type": "zitadel.v1.ErrorDetail",
      "value": "CgpBVVRILTdmczFlEhRFcnJvcnMuVG9rZW4uSW52YWxpZA",
      "debug": {
        "id": "AUTH-7fs1e",
        "message": "Errors.Token.Invalid"
      }
    }
  ]
}

--- ERROR ---
Status Code: 401
Error Message: {"code":"unauthenticated","message":"Errors.Token.Invalid (AUTH-7fs1e)","details":[{"type":"zitadel.v1.ErrorDetail","value":"CgpBVVRILTdmczFlEhRFcnJvcnMuVG9rZW4uSW52YWxpZA","debug":{"id":"AUTH-7fs1e","message":"Errors.Token.Invalid"}}]}
Error Details (JSON): {
  "code": "unauthenticated",
  "message": "Errors.Token.Invalid (AUTH-7fs1e)",
  "details": [
    {
      "type": "zitadel.v1.ErrorDetail",
      "value": "CgpBVVRILTdmczFlEhRFcnJvcnMuVG9rZW4uSW52YWxpZA",
      "debug": {
        "id": "AUTH-7fs1e",
        "message": "Errors.Token.Invalid"
      }
    }
  ]
}

--- ERROR ---
Status Code: 401
Error Message: {"code":"unauthenticated","message":"Errors.Token.Invalid (AUTH-7fs1e)","details":[{"type":"zitadel.v1.ErrorDetail","value":"CgpBVVRILTdmczFlEhRFcnJvcnMuVG9rZW4uSW52YWxpZA","debug":{"id":"AUTH-7fs1e","message":"Errors.Token.Invalid"}}]}
Error Details (JSON): {
  "code": "unauthenticated",
  "message": "Errors.Token.Invalid (AUTH-7fs1e)",
  "details": [
    {
      "type": "zitadel.v1.ErrorDetail",
      "value": "CgpBVVRILTdmczFlEhRFcnJvcnMuVG9rZW4uSW52YWxpZA",
      "debug": {
        "id": "AUTH-7fs1e",
        "message": "Errors.Token.Invalid"
      }
    }
  ]
}

ZITADEL Docs

This guide focuses on the ZITADEL System API. To access the other APIs (Admin, Auth, Management), please checkout this guide.

Ask Inkeep•10/6/25, 11:46 PM

Hi @Aldraz, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.

Ask Inkeep•10/6/25, 11:46 PM

Answer

The AUTH-7fs1eAUTH-7fs1e error indicates an invalid token issue with System API authentication. Based on community reports, there are several common causes for this error:

Key troubleshooting steps:

**Include the correct port in your JWT audience** - The audience must match exactly what ZITADEL resolves to, including any port number [(1) ](<https://discord.com/channels/927474939156643850/1392011076077490197>) . For example, if your ZITADEL instance runs on port 8080, use:```bashzitadel-tools key2jwt \ --key system-user-1.pem \ --issuer system-user-1 \ --audience <https://zitadel.domain.com:8080>```
Verify your System API user configuration
- Ensure your public key is properly loaded in the SystemAPIUsers configuration . The key should be base64-encoded and properly indented in your configuration.
Check JWT claims
- Your JWT must include the correct ississ, subsub,
```
aud
```
```
aud
```
  , iatiat, and expexp claims . The ississ and subsub should match your system user name.
Key format issues
- If using zitadel-toolszitadel-tools, you may need to generate your RSA key with the --traditional--traditional flag (2) :
  openssl genrsa --traditional -out system-user-1.pem 2048
  openssl genrsa --traditional -out system-user-1.pem 2048

The error you're seeing is commonly reported when the JWT audience doesn't match the ZITADEL instance URL exactly, particularly when a port number is required but not included questions-help-bugsJWT auth fails when adding custom domain .

If you continue having issues after checking these items, please click the "Ask for help" button to tag a team member for further assistance.

Ask Inkeep•10/6/25, 11:46 PM

To learn more, see the sources I considered:

questions-help-bugsJWT auth fails when adding custom domain
[2] Zitadel Executing System API Call

Ask Inkeep•10/6/25, 11:46 PM

Feel free to tag @Ask Inkeep with additional questions.