Sandbox Authorization: Authorization header not found

Good afternoon all,

I’m trying to run the sandbox with authentication, by adding options in my daml.yaml file but when I run daml start the sandbox itself seems to start up fine, whereas the navigator fails with WARN: Authorization error: Authorization header not found

In my daml.yaml I’ve got:

sandbox-options: ["-w", "--ledgerid=my-sandbox-ledger", "--auth-jwt-rs256-crt=./my-pem-file.pem"]
navigator-options: ["--access-token-file=./sandbox-navigator-token.txt"]
json-api-options: ["--access-token-file=./sandbox-api-token.txt"]

The JWT token in both text files is definitely prefixed with "Bearer " and the permissions inside the token should match the requirements for each service, so I’m at a loss to figure out where I’m going wrong.

Thanks in advance!

If you run sandbox with --log-level DEBUG (INFO might be sufficient), it should display the reason for why permission got denied which might help you pin down the cuprit.

The only other relevant piece of information seems to be DEBUG: Auth metadata decoded into empty claims, returning UNAUTHENTICATED but I’ve checked the token in jwt.io and it definitely has the relevant ledger id, readAs, and actAs claims:

"https://daml.com/ledger-api": {
    "ledgerId": "my-sandbox-ledger",
    "participantId": "sandbox-participant",
    "actAs": [
      "Alice",
      "Bob",
      "Charlie"
    ],
    "admin": false,
    "readAs": [
      "Alice",
      "Bob",
      "Charlie"
    ]
  }

Did you check both tokens? I’d try starting sandbox first and then Navigator and the JSON API separately to narrow down which of the two is failing.

So it turns out my issue was actually with the token for my init script, the log messages just weren’t separated based on tasks, so it took a while to figure it out!

A post was merged into an existing topic: Daml start from outside the project directory?

Great questions @lashenhurst. I split the second one into its own thread.