Unauthorized
ERR-P01-IDT-0401 - Unauthorized
Section titled “ERR-P01-IDT-0401 - Unauthorized”Summary
Section titled “Summary”Authentication failed and no more specific 1xxx code applies - the catch-all for a missing, malformed, or unverifiable credential.
When this is raised
Section titled “When this is raised”- No
Authorization: Bearerheader was sent to a guarded route. - The bearer is a compact JWS that does not split into three parts, or whose header/payload is not valid JSON.
- Self-signed claim checks fail:
issdoes not equalsub, orsubdoes not match the key’sagent_id. - The Ed25519 signature does not verify, or the owning agent is not in
activestatus. - The
X-Service-Keypresented to/_admin/*is missing or does not match (constant-time compare).
What to do
Section titled “What to do”- Attach a valid
Authorization: Bearer <JWT>(orX-Service-Keyfor admin routes) and retry. - If the message points at a self-signed claim, ensure
iss == sub == agent_idand that you are signing with the agent’s own key. - If the signature fails, confirm you are signing the exact
header.payloadbytes with the Ed25519 private key whose public half is registered under thekid.
Server-side cause
Section titled “Server-side cause”- Raised by:
packages/identity/src/auth.ts-verifyAgentJwt(parse, self-signed sanity, signature, and agent-active guards) and the noop verifier; alsoapps/api/src/middleware/auth.ts(serviceKeyAuthand the missing-bearer guard) andapps/mail/src/middleware/auth.ts. - Guard: every
new AuthError(IDENTITY_ERR.unauthorized, …)site.
Example response
Section titled “Example response”{ "type": "https://citizenry.id/errors/ERR-P01-IDT-0401", "title": "Unauthorized", "status": 401, "code": "ERR-P01-IDT-0401", "message": "Authorization Bearer missing", "method": "GET", "instance": "/v1/agent/me", "request_url": "https://api.citizenry.id/v1/agent/me", "timestamp": "2026-05-17T07:00:00.000Z"}Related codes
Section titled “Related codes”ERR-P01-IDT-1001- JWT alg mismatch (a specific verifier failure).ERR-P01-IDT-1004- JWT kid unknown.ERR-P01-IDT-1040- API-Key invalid.
Changelog
Section titled “Changelog”- 0.1.0 - introduced.