2 months ago

Getting 401 on API calls using Passport - Malformed JWT Header

Posted 2 months ago by icelos

Hi everyone,

First time posting and I feel like I'm losing my mind, been working on this issue for many hours and just can't figure it out. That probably means it's something obvious once I figure out what the problem is.

The problem: I have a route /api/likes/{id} which is protected by api:auth middleware so that logged in users can get a list of likes they have submitted. I have added the CreateFreshApiToken middleware to the end of the web middleware group so the token is being added as a Cookie. This was all working fine and well in my staging environment, and was working on production up until recently. Since I can't reproduce in staging I've debugged through production and have found that the JWT has an extra 40 character hex string prepended to the beginning and separated by a pipe like this:


b64 decoded as:


So once it goes through jsonDecode in /vendor/firebase/php-jwt/src/JWT.php it throws a malformed JSON error and returns a 401.

Has anyone encountered this before and what am I missing? The only differences between staging and prod is that I am using Gitlab CI/CD and CloudFlare static resource caching on prod, otherwise identical.

Thanks guys.

Please sign in or create an account to participate in this conversation.