Sandbox Authorization: Authorization header not found

Good afternoon all,

I’m trying to run the sandbox with authentication, by adding options in my daml.yaml file but when I run daml start the sandbox itself seems to start up fine, whereas the navigator fails with WARN: Authorization error: Authorization header not found

In my daml.yaml I’ve got:

sandbox-options: ["-w", "--ledgerid=my-sandbox-ledger", "--auth-jwt-rs256-crt=./my-pem-file.pem"]
navigator-options: ["--access-token-file=./sandbox-navigator-token.txt"]
json-api-options: ["--access-token-file=./sandbox-api-token.txt"]

The JWT token in both text files is definitely prefixed with "Bearer " and the permissions inside the token should match the requirements for each service, so I’m at a loss to figure out where I’m going wrong.

Thanks in advance!

1 Like

If you run sandbox with --log-level DEBUG (INFO might be sufficient), it should display the reason for why permission got denied which might help you pin down the cuprit.

1 Like

The only other relevant piece of information seems to be DEBUG: Auth metadata decoded into empty claims, returning UNAUTHENTICATED but I’ve checked the token in and it definitely has the relevant ledger id, readAs, and actAs claims:

"": {
    "ledgerId": "my-sandbox-ledger",
    "participantId": "sandbox-participant",
    "actAs": [
    "admin": false,
    "readAs": [
1 Like

Did you check both tokens? I’d try starting sandbox first and then Navigator and the JSON API separately to narrow down which of the two is failing.

1 Like

So it turns out my issue was actually with the token for my init script, the log messages just weren’t separated based on tasks, so it took a while to figure it out!


A post was merged into an existing topic: Daml start from outside the project directory?

Great questions @lashenhurst. I split the second one into its own thread.