/auth/v1/users/me returns HTTP 500 instead of 401 for unauthenticated requests (Zitadel Cloud)
βUnsolvedπͺ²Bugs
Calling
with a gRPC error body instead of HTTP 401.
Response body
{"code":2,"message":"rpc error: code = Unauthenticated desc = auth header missing ()","details":[{"@type":"type.googleapis.com/zitadel.v1.ErrorDetail","message":"rpc error: code = Unauthenticated desc = auth header missing"}]}
Expected behavior
HTTP 401 Unauthorized (as it was before ~Feb 16, 2026)
Environment
- Zitadel Cloud
- Endpoint: /auth/v1/users/me
- No authorization header sent
Timeline
- Working correctly (returning 401): Feb 5, 2026
- Broken (returning 500): Feb 25, 2026
- Zitadel v4.11.0 was released Feb 16, 2026 β likely the trigger
GET /auth/v1/users/meGET /auth/v1/users/me without an authorization header now returns HTTP 500 with a gRPC error body instead of HTTP 401.
Response body
{"code":2,"message":"rpc error: code = Unauthenticated desc = auth header missing ()","details":[{"@type":"type.googleapis.com/zitadel.v1.ErrorDetail","message":"rpc error: code = Unauthenticated desc = auth header missing"}]}
Expected behavior
HTTP 401 Unauthorized (as it was before ~Feb 16, 2026)
Environment
- Zitadel Cloud
- Endpoint: /auth/v1/users/me
- No authorization header sent
Timeline
- Working correctly (returning 401): Feb 5, 2026
- Broken (returning 500): Feb 25, 2026
- Zitadel v4.11.0 was released Feb 16, 2026 β likely the trigger
