# JWT 401 Error - Root Cause and Resolution ## Problem Getting "HTTP 401: Invalid JWT" errors throughout the app. ## Root Cause Identified ✓ The JWT being sent has algorithm **ES256** (Elliptic Curve), but your Supabase project expects **HS256** (HMAC). **Evidence:** ``` DEBUG: Sending JWT (first 50 chars): eyJhbGciOiJFUzI1NiIsImtpZCI6ImI2NmJjNThkLTM0YjgtND... ^^^^^^^^ ES256 algorithm ``` Your project's anon key: ``` eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... ^^^^^^^^ HS256 algorithm ``` ## What This Means You were previously signed into a **different Supabase project** that uses ES256 JWTs. The app cached that session, and even though you're now passing the correct credentials via environment variables, the **old cached session** is being used for all API calls. ## Solution Applied ✓ 1. **Uninstalled the app** completely from your Pixel 9 2. **Reinstalling with fresh credentials** (no cached session) ## What Will Happen Next After reinstall: 1. App will have NO cached session 2. You'll see the sign-in screen 3. When you sign in, Supabase will create a session with **HS256 JWT** (matching your project) 4. All API calls will succeed 5. JWT errors will be gone ## Verification After the app reinstalls and you sign in, check the console for: **BEFORE (Wrong):** ``` DEBUG: Sending JWT (first 50 chars): eyJhbGciOiJFUzI1NiIsImtpZCI6... ``` **AFTER (Correct):** ``` DEBUG: Sending JWT (first 50 chars): eyJhbGciOiJIUzI1NiIsInR5cCI6... ``` The algorithm should be **HS256**, not ES256. ## Other Fixes Applied While troubleshooting, we also: 1. ✅ **Verified database functions exist** - `has_block_between()` - EXISTS - `is_mutual_follow()` - EXISTS 2. ✅ **Verified Edge Functions are deployed** - `signup` - Deployed - `profile` - Deployed - `feed-sojorn` - Deployed - `feed-personal` - Deployed 3. ✅ **Added error handling** to [api_service.dart](c:\Webs\Sojorn\sojorn_app\lib\services\api_service.dart) - `hasProfile()` - Now gracefully handles errors - `hasCategorySelection()` - Now gracefully handles errors - Added debug logging to see JWT details 4. ✅ **Created deployment and diagnostic tools** - [DEPLOY_EDGE_FUNCTIONS.md](c:\Webs\Sojorn\DEPLOY_EDGE_FUNCTIONS.md) - [TROUBLESHOOTING_JWT.md](c:\Webs\Sojorn\TROUBLESHOOTING_JWT.md) - [test_edge_functions.ps1](c:\Webs\Sojorn\test_edge_functions.ps1) - [check_rls_setup.sql](c:\Webs\Sojorn\supabase\diagnostics\check_rls_setup.sql) ## If Issue Persists If you still see ES256 after reinstall, it means: 1. The app is reading credentials from somewhere else (check for hardcoded values) 2. You're signing in with an account from a different Supabase project 3. There's a Supabase session restore happening from cloud backup **Next debug step:** Check the actual Supabase URL being used: ```dart print('Supabase URL: ${Supabase.instance.client.supabaseUrl}'); print('Expected: https://zwkihedetedlatyvplyz.supabase.co'); ``` ## Summary **Issue:** Cached session from wrong Supabase project (ES256 vs HS256) **Fix:** Complete app uninstall/reinstall **Status:** Reinstalling now... **Next:** Sign in and verify JWT shows HS256