islamdarwish
islamdarwish2w ago

Token gives "Errors.Token.Invalid (AUTH-7fs1e)" when access "auth/v1/policies/login"

when get access_token from "/oauth/v2/token" endpoint then use it in "auth/v1/policies/login" it gives "Errors.Token.Invalid (AUTH-7fs1e)" steps: Auth Request URL: http://localhost:8080/oauth/v2/authorize?client_id=335061218119188483&redirect_uri=http://localhost:3000/callback&response_type=code&scope=openid%20email%20profile&code_challenge=H3UkWm5JEHFIqX-s_7VTcNFr2ZgNqf17r3z4ZrqdOUE&code_challenge_method=S256 then send this request with (auth_request_id): curl -s --request POST \ --url "${ZITADEL_DOMAIN}/v2/oidc/auth_requests/${AUTH_REQUEST_ID}" \ --header 'Accept: application/json' \ --header "Authorization: Bearer ${SERVICE_ACCOUNT_TOKEN}" \ --header 'Content-Type: application/json' \ --data "{ "session": { "sessionId": "${SESSION_ID}", "sessionToken": "${SESSION_TOKEN}" } then send this request with (code) to get the token curl -s --request POST \ --url ${ZITADEL_DOMAIN}/oauth/v2/token \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode "grant_type=authorization_code" \ --data-urlencode "client_id=${CLIENT_ID}" \ --data-urlencode "code=${AUTH_CODE}" \ --data-urlencode "redirect_uri=${REDIRECT_URI}" \ --data-urlencode "code_verifier=${CODE_VERIFIER}" then use the token in this policies/login (to get the configured idps) curl --location --request GET 'localhost:8080/auth/v1/policies/login' \ --header 'Authorization: Bearer gqn3JPU7d1SpIuOHDnAMD7DxboZ_8XRDFmNulmDvospJL6KtBMKzNNbFpCPQqaoVr_xZS0ha2ApmMP3uuJP_btS_Xn2C6-YvpXfpb2QM' \ it returns: { "code": 16, "message": "Errors.Token.Invalid (AUTH-7fs1e)", "details": [ { "@type": "type.googleapis.com/zitadel.v1.ErrorDetail", "id": "AUTH-7fs1e", "message": "Errors.Token.Invalid" } ] }
1 Reply
Ask Inkeep
Ask Inkeep2w ago
Hi @islamdarwish, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question. Answer The "Errors.Token.Invalid (AUTH-7fs1e) " error you're encountering when accessing the ZITADEL Auth API (/auth/v1/policies/login) occurs because your access token is missing the required audience for ZITADEL APIs. (1) When you want to access ZITADEL APIs, you must include the ZITADEL audience scope in your authorization request. Add the following scope to your initial authorization request: 
urn:zitadel:iam:org:project:id:zitadel:aud
urn:zitadel:iam:org:project:id:zitadel:aud
Your authorization URL should look like this: (2) (1) 
<http://localhost:8080/oauth/v2/authorize?client_id=335061218119188483&redirect_uri=http://localhost:3000/callback&response_type=code&scope=openid%20email%20profile%20urn:zitadel:iam:org:project:id:zitadel:aud&code_challenge=H3UkWm5JEHFIqX-s_7VTcNFr2ZgNqf17r3z4ZrqdOUE&code_challenge_method=S256>
<http://localhost:8080/oauth/v2/authorize?client_id=335061218119188483&redirect_uri=http://localhost:3000/callback&response_type=code&scope=openid%20email%20profile%20urn:zitadel:iam:org:project:id:zitadel:aud&code_challenge=H3UkWm5JEHFIqX-s_7VTcNFr2ZgNqf17r3z4ZrqdOUE&code_challenge_method=S256>
The scope parameter is space-delimited, and including urn:zitadel:iam:org:project:id:zitadel:aud ensures that the access token you receive from /oauth/v2/token will have the proper audience to call ZITADEL's Auth API endpoints. ​ To learn more, see the sources I considered: [1] How to use Auth API - I'm getting Errors.Token.Invalid [2] OpenID Connect Endpoints in ZITADEL ​ Feel free to tag @Ask Inkeep with additional questions.

Did you find this page helpful?