https://vapi.ai/ logo
Join Discord
Powered by
Valid JWT Tokens has stopped authenticating
# support
s
We've been using the api List Calls endpoint successfully, up until this weekend. At some point, the calls started throwing 403 errors with the message: { "message": "JWT doesn't permit access. Hot tip, you may be missing 
token
in your JWT.", "error": "Forbidden", "statusCode": 403 } We've tried to create new private api keys with the same result. Any ideas?
v
Hi there! Sorry to hear you're experiencing authentication issues with the List Calls endpoint. I wasn't able to find specific information about what might have changed on the Vapi platform over the weekend. However, I can help troubleshoot the JWT authentication issue you're experiencing. Based on the error message you're receiving, it appears that your JWT is missing a required 
token
field in the payload. Here are some troubleshooting steps: ## Verify Your JWT Structure The error message specifically mentions "you may be missing 
token
in your JWT." According to [troubleshooting documentation](https://discord.com/channels/1211482211119796234/1211483291191083018/threads/1333897284894724188), you should ensure your JWT payload includes all required fields. You can use [jwt.io](https://jwt.io/) to decode and verify your JWT token structure. A properly formatted JWT consists of three parts separated by dots (header.payload.signature). ## Check Your JWT Payload While I couldn't find specific documentation about the required 
token
field, the JWT payload should contain necessary claims. For example, according to [JWT authentication documentation](https://docs.vapi.ai/customization/jwt-authentication), your payload might need to include an `orgId`:
Copy code
javascript
const payload = {
  orgId: process.env.ORG_ID,
  // You might need to add a "token" field here
};
## Verify Authorization Header Format Ensure you're sending the JWT correctly in the Authorization header:
Copy code
Authorization: Bearer YOUR_JWT
## Check Private Key Configuration Confirm that: - The private key is correctly configured in Vapi - The key used to sign the JWT matches the one registered with Vapi - The key format is correct (typically PEM format) - If the key is managed by a service, it has the necessary permissions ## API Endpoint Verification
The correct URL for the List Calls endpoint is 
https://api.vapi.ai/call
using the GET method. Double-check that you're using the correct endpoint and HTTP method. Is there any specific part of the JWT configuration you'd like me to help with further? Sources: - [JWT Authentication Documentation](https://docs.vapi.ai/customization/jwt-authentication) - [Troubleshooting 403 Errors](https://discord.com/channels/1211482211119796234/1211483291191083018/threads/1333897284894724188) - [JWT Verification](https://discord.com/channels/1211482211119796234/1211483291191083018/threads/1336414771309838448) - [API List Calls Endpoint](https://docs.vapi.ai/api-reference/calls/list)
s
Have already verified all the above is correct
k
Hey @Shermanai, we recently made a small change where now in the JWT token you have to include the scope as well (for private or public tokens). That's why your requests are failing with the 'permits' access missing. To learn more about it, check this documentation:
PreviousNext
Powered by