Service key invalid
ERR-P01-IDT-1020 - Service key invalid
Section titled “ERR-P01-IDT-1020 - Service key invalid”Summary
Section titled “Summary”The pre-shared service key (X-Service-Key) presented to an internal
/_admin/* route is missing or wrong.
When this is raised
Section titled “When this is raised”- A call to
/_admin/*(proxied byapps/admin-api) carries noX-Service-Key, or a value that does not match the Worker’s configuredSERVICE_KEY. - The comparison is constant-time (XOR diff) to avoid leaking the key via timing.
What to do
Section titled “What to do”- This is an internal trust boundary - only
apps/admin-apishould be calling/_admin/*. Ensure the caller forwards the correctX-Service-Key(sourced from the auto-managedSERVICE_KEYsecret). - External clients have no business on these routes; use the public
/v1/*surface instead.
Server-side cause
Section titled “Server-side cause”- Reserved code - the live
serviceKeyAuthguard currently emits the genericERR-P01-IDT-0401(unauthorized) rather than this dedicated PSK code. Seeapps/api/src/middleware/auth.ts-serviceKeyAuth,if (!expected || !safeEqual(provided, expected)) return unauthorized(…). Declared inpackages/spec/identity/errors.tspfor when the guard is specialised.
Example response
Section titled “Example response”{ "type": "https://citizenry.id/errors/ERR-P01-IDT-1020", "title": "Unauthorized", "status": 401, "code": "ERR-P01-IDT-1020", "message": "admin service key invalid or missing", "method": "GET", "instance": "/_admin/v1/admin/agents", "request_url": "https://api.citizenry.id/_admin/v1/admin/agents", "timestamp": "2026-05-17T07:00:00.000Z"}Related codes
Section titled “Related codes”ERR-P01-IDT-0401- unauthorized (the generic code the guard emits today).
Changelog
Section titled “Changelog”- 0.1.0 - introduced.