Skip to main content

401 Error, “invalid signature” code: -1

  • Updated

Issue description

This error code typically indicates an issue with the JSON Web Token (JWT) signature provided with the API request. An invalid signature results from using non-matching API and secret keys when creating the request.

Fireblocks API body response

{ message: 'invalid signature', code: -1 }

Python SDK error message

fireblocks_sdk.api_types.FireblocksApiException: Got an error from fireblocks server: { "message": "invalid signature", "code": -1}

JavaScript SDK error response

response: {
status: 401,
statusText: 'Unauthorized',
headers: {
server: 'nginx',
date: 'Tue, 28 Feb 2023 17:12:11 GMT',
'content-type': 'application/octet-stream',
'content-length': '65',
connection: 'close'
},
config: <REMOVED_CONFIG_DATA>,
request: <REMOVED_REQUEST_DATA>,
data: { message: 'Unauthorized: Token was not accepted.', code: -7 }
}

Resolution

The API Key and the JWT Signature are user-supplied parameters used to authenticate API requests. The JWT signature is generated based on the API user's secret key and authenticated by Fireblocks using the secret key's Certificate Signing Request (CSR) provided to Fireblocks when creating the API user.

To validate whether the correct secret key is being used, locate the CSR originally provided to Fireblocks and run the following commands, comparing the sha256 hash outputs to ensure they match:

openssl pkey -in <SECRET_KEY_FILE> -pubout -outform pem | sha256sum
openssl req -in <CSR_FILE> -pubkey -noout -outform pem | sha256sum

For example, this shows a valid CSR and secret key pair:

openssl pkey -in fireblocks_secret_api101.key -pubout -outform pem | sha256sum
feb2...1bf -
openssl req -in fireblocks_api101.csr -pubkey -noout -outform pem | sha256sum
feb2...1bf -

And this shows an invalid CSR and secret key pair:

openssl pkey -in fireblocks_api_secret.key -pubout -outform pem | sha256sum
feb2...1bf -
openssl req -in fireblocks_api.csr -pubkey -noout -outform pem | sha256sum
e3b...855 -

If the secret key does not match the CSR provided to Fireblocks, you must locate and implement the correct secret key. If you can't find the valid secret key, you must create a new API user.

Was this article helpful?
1 out of 1 found this helpful

Related Articles