Skip to content
AnglinAI Docs

ERR_AUTH_JWKS_FETCH_FAILED — Auth JWKS Fetch Failed

HTTP Status: 503 Retryable: Yes Automatic retry: None. The JWKS fetch is attempted once per cache miss (cache TTL is 1 hour).

What the User Sees

Authentication service is temporarily unavailable. (ERR_AUTH_JWKS_FETCH_FAILED)

What Causes This Error

The JWKS endpoint at {SUPABASE_URL}/auth/v1/.well-known/jwks.json is unreachable or returned a non-200 response. This endpoint provides the ES256 public keys used to verify JWT signatures in the auth middleware.

The JWKS keys are cached in Worker memory for 1 hour. This error only occurs when the cache has expired (or on a cold start) and the fetch to refresh the keys fails. During normal operation with warm cache, this error cannot occur.

If Supabase auth is down, all new authentication attempts that require a JWKS refresh will fail. However, existing sessions that were verified while the JWKS cache was populated will continue to work for up to 1 hour (until the cache expires).

This means the blast radius of a Supabase auth outage is limited — users who authenticated recently will be unaffected for up to an hour.

Resolution Steps

For Users

  1. Try again in a moment. The authentication service may be experiencing a brief interruption.
  2. If you were previously signed in and the page was working, try refreshing — your cached session may still be valid.
  3. If the error persists for more than a few minutes, the authentication service may be experiencing a longer outage.

For Administrators

  1. Check Supabase auth service status at https://status.supabase.com.
  2. Test the JWKS endpoint directly:
    Terminal window
    curl -v https://vuvwmfxssjosfphzpzim.supabase.co/auth/v1/.well-known/jwks.json
  3. If the endpoint returns a non-200 status, the Supabase auth service is likely experiencing issues. No action can be taken on our side — wait for Supabase to resolve the issue.
  4. If the SUPABASE_URL Worker secret is incorrect, no JWKS fetch will ever succeed. Verify it matches the project URL.
  5. During a prolonged auth outage, consider temporarily using the SUPABASE_JWT_SECRET for HMAC-based verification as a fallback (requires code changes).
  6. Monitor the JWKS cache hit rate in Grafana. A cache miss storm after a cold start with Supabase down will generate many of these errors simultaneously.