Invalid token: Token Signature could not be verified


I’ve been trying to do a load test from SoapUI to the DreamFactory (Ver. 2.01). Here is what i’ve done:

  1. I have login, and get the session token
  2. Set the session token to “X-DreamFactory-Session-Token” and the API key to “X-DreamFactory-Api-Key” (in the request headers)
  3. Set the roles in the admin console
    however, when i called the request, I’ve get this following error :

I wonder if there’s any steps that i miss ? Thankyou

{“error”: {
“context”: null,
“message”: “Invalid token: Token Signature could not be verified.”,
“code”: 401,
“trace”: [
“0 [internal function]: DreamFactory\Http\Middleware\AccessCheck->handle(Object(Illuminate\Http\Request), Object(Closure))”, … ]


I’ve truncated your stack trace in the OP for brevity. You can turn off debug logging to get only the necessary error info, which is the message and code.

In this case it seems you’re doing everything right except for passing the session token. For example, I have this session token:

X-DreamFactory-Session-Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOjEsInVzZXJfaWQiOjEsImVtYWlsIjoiamVmZnJleUBkcmVhbWZhY3RvcnkuY29tIiwiZm9yZXZlciI6ZmFsc2UsImlzcyI6Imh0dHBzOlwvXC9kZW1vLmVudGVycHJpc2UuZHJlYW1mYWN0b3J5LmNvbVwvYXBpXC92Mlwvc3lzdGVtXC9hZG1pblwvc2Vzc2lvbiIsImlhdCI6IjE0NDc0MjcxNDkiLCJleHAiOiIxNDQ3NDMwNzQ5IiwibmJmIjoiMTQ0NzQyNzE0OSIsImp0aSI6ImQ3ZGE0YmU0M2NmOTA5NzczMWYzZjJmZDA0MDllOTJjIn0.-jXCtGrU5gBonVsjgg5wpk-afs5bWGIKq8GZEWMY7GM

If I remove that M from the end, invalidating the hash, and try to call the API with this value:

X-DreamFactory-Session-Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOjEsInVzZXJfaWQiOjEsImVtYWlsIjoiamVmZnJleUBkcmVhbWZhY3RvcnkuY29tIiwiZm9yZXZlciI6ZmFsc2UsImlzcyI6Imh0dHBzOlwvXC9kZW1vLmVudGVycHJpc2UuZHJlYW1mYWN0b3J5LmNvbVwvYXBpXC92Mlwvc3lzdGVtXC9hZG1pblwvc2Vzc2lvbiIsImlhdCI6IjE0NDc0MjcxNDkiLCJleHAiOiIxNDQ3NDMwNzQ5IiwibmJmIjoiMTQ0NzQyNzE0OSIsImp0aSI6ImQ3ZGE0YmU0M2NmOTA5NzczMWYzZjJmZDA0MDllOTJjIn0.-jXCtGrU5gBonVsjgg5wpk-afs5bWGIKq8GZEWMY7G

I receive your exact error:

{"error":{"context":null,"message":"Invalid token: Token Signature could not be verified.","code":401}}

So either you’re not capturing and passing the token intact, or it’s being passed in an invalid way.


You are right! I’ve been spending hours just because a single space in header key :laughing:

Thanks for your help. This is a really awesome product :slight_smile: