Edge Function 401 error response

Last edited: 3/11/2026

The function rejected the request for lacking the appropriate authorization headers.

Context for the error#

The JWT verification check#

By default, edge functions are configured to check requests for a valid legacy key.

How the check causes 401 errors#

The check fails and return a 401 permission error if:

The request includes an invalid legacy key, or
The request uses the newer asymmetric keys instead of a legacy key.

What this check actually does#

This validation provides limited security value. It only confirms that the request includes a legacy token associated with your project, such as the anon key.

It does not validate the user's identity or permissions beyond that.

Because the security check is weak, it was deprecated when used with the new asymmetric keys.

Solving the error#

Step 1: Identifying the error#

If the tests return a 401 but don't match the criteria below, the error is coming from your app logic, not the JWT check.

Inspecting the return message#

When an edge function fails due to a platform 401 error, it returns the error:

1
{
2
  "code": 401,
3
  "message": "Invalid JWT"
4
}

Inspecting the logs#

Your code may return a 401 error due to its own logic

1
return new Response(JSON.stringify(data), {
2
  headers: { ...corsHeaders, 'Content-Type': 'application/json' },
3
  status: 401, // app logic returning a 401
4
})

A 401 status code alone doesn't confirm a JWT check failure by itself. The log must also lack an execution_id.

Instead of manually reviewing the logs, you can run the below query in the log explorer to get a list of functions that were impacted by the check:

1
select distinct
2
  req.pathname as function_name,
3
  res.status_code
4
from
5
  function_edge_logs
6
  cross join UNNEST(metadata) as metadata
7
  cross join UNNEST(metadata.request) as req
8
  cross join UNNEST(metadata.response) as res
9
where status_code = 401 and metadata.execution_id is null
10
limit 10;

Step 2: Disabling the JWT check#

The JWT check provides minimal security benefits, so we now recommend handling authentication through app logic instead. See the Edge Function Auth Doc for details.

If you've migrated to asymmetric keys (publishable/secret) or no longer need the JWT check, you can disable it using one of the three options below:

If you would like to continue using the JWT check, make sure that your Supabase Client only uses your legacy keys.