sojorn/sojorn_docs/troubleshooting/JWT_ERROR_RESOLUTION_2025-12-30.md

JWT 401 Error - Root Cause and Resolution

Problem

Getting "HTTP 401: Invalid JWT" errors throughout the app.

Root Cause Identified ✓

The JWT being sent has algorithm ES256 (Elliptic Curve), but your Supabase project expects HS256 (HMAC).

Evidence:

DEBUG: Sending JWT (first 50 chars): eyJhbGciOiJFUzI1NiIsImtpZCI6ImI2NmJjNThkLTM0YjgtND...
                                              ^^^^^^^^
                                              ES256 algorithm

Your project's anon key:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
          ^^^^^^^^
          HS256 algorithm

What This Means

You were previously signed into a different Supabase project that uses ES256 JWTs. The app cached that session, and even though you're now passing the correct credentials via environment variables, the old cached session is being used for all API calls.

Solution Applied ✓

1. Uninstalled the app completely from your Pixel 9
2. Reinstalling with fresh credentials (no cached session)

What Will Happen Next

After reinstall:

1. App will have NO cached session
2. You'll see the sign-in screen
3. When you sign in, Supabase will create a session with HS256 JWT (matching your project)
4. All API calls will succeed
5. JWT errors will be gone

Verification

After the app reinstalls and you sign in, check the console for:

BEFORE (Wrong):

DEBUG: Sending JWT (first 50 chars): eyJhbGciOiJFUzI1NiIsImtpZCI6...

AFTER (Correct):

DEBUG: Sending JWT (first 50 chars): eyJhbGciOiJIUzI1NiIsInR5cCI6...

The algorithm should be HS256, not ES256.

Other Fixes Applied

While troubleshooting, we also:

1. ✅ Verified database functions exist

   • has_block_between() - EXISTS
   • is_mutual_follow() - EXISTS

2. ✅ Verified Edge Functions are deployed

   • signup - Deployed
   • profile - Deployed
   • feed-sojorn - Deployed
   • feed-personal - Deployed

3. ✅ Added error handling to api_service.dart

   • hasProfile() - Now gracefully handles errors
   • hasCategorySelection() - Now gracefully handles errors
   • Added debug logging to see JWT details

4. ✅ Created deployment and diagnostic tools

   • DEPLOY_EDGE_FUNCTIONS.md
   • TROUBLESHOOTING_JWT.md
   • test_edge_functions.ps1
   • check_rls_setup.sql

If Issue Persists

If you still see ES256 after reinstall, it means:

1. The app is reading credentials from somewhere else (check for hardcoded values)
2. You're signing in with an account from a different Supabase project
3. There's a Supabase session restore happening from cloud backup

Next debug step: Check the actual Supabase URL being used:

print('Supabase URL: ${Supabase.instance.client.supabaseUrl}');
print('Expected: https://zwkihedetedlatyvplyz.supabase.co');

Summary

Issue: Cached session from wrong Supabase project (ES256 vs HS256) Fix: Complete app uninstall/reinstall Status: Reinstalling now... Next: Sign in and verify JWT shows HS256