https://www.ory.sh/ logo
Join Slack
Powered by
<@U04UQ68083H> Debug this 401 response I’m getting
# ory-copilot
c
@chilly-king-10285 Debug this 401 response I’m getting
b
A message from kapa.ai
A 401 response in Ory typically means "Unauthorized"—the request is missing valid authentication credentials or the credentials provided are invalid. This is a standard response across many Ory APIs, including session management, settings flows, and project/workspace APIs. Common causes for a 401 response: - No authentication token (e.g., missing or expired session cookie, missing Authorization header). - Invalid or expired authentication token. - The session or flow has expired (for example, login or settings flows are time-limited). Example error message:
Copy code
json {   "error": {     "message": "The resource could not be found",     "status": "Not Found",     "code": 404,     "reason": "User with ID 1234 does not exist.",     "request": "d7ef54b1-ec15-46e6-bccb-524b82c035e6"   } }
Or, for expired flows:
Copy code
json {   "id": 4010001,   "text": "The login flow expired 1.00 minutes ago, please try again.",   "type": "error",   "context": {     "expired_at": "2020-01-01T00:59:59Z",     "expired_at_unix": 1577840399   } }
This means the login flow has expired and you need to restart it to proceed [The login flow expired](https://www.ory.sh/docs/kratos/concepts/ui-messages#the-login-flow-expired-100-minutes-ago-please-try-again-4010001). What to check: - Ensure you are sending the correct authentication credentials (session cookie, bearer token, etc.). - If using flows (login, settings, etc.), make sure the flow has not expired—restart the flow if necessary. - If using OAuth2/OIDC, ensure your access token is valid and not expired. - If you are using Oathkeeper, a 401 can also mean no credentials were provided or the provided credentials are invalid [Oathkeeper oauth2_introspection example](https://www.ory.sh/docs/oathkeeper/pipeline/authn#oauth2_introspection-access-rule-example). If you provide more details about which endpoint or flow you are calling and the exact error message, I can help you debug further.
c
@chilly-king-10285 Why does this produce a 401 response: import { Configuration as KetoConfiguration, RelationshipApi } from “@ory/keto-client” /// Keto Relationship API (used to delete relationships) const keto = new RelationshipApi( new KetoConfiguration({ basePath: process.env.ORY_API_URL, accessToken: process.env.ORY_API_KEY }) ) async function deleteKetoRelationshipsForSubject(subject) { let nextPageToken = “” do { const response = await keto.getRelationships({ subject_id: subject, page_token: nextPageToken || undefined, }) const tuples = response.data.relation_tuples || [] for (const tuple of tuples) { try { log(
[Ory Keto] Deleting: ${tuple.namespace} ${tuple.object} ${tuple.relation} ${tuple.subject_id}
) await keto.deleteRelationships({ namespace: tuple.namespace, object: tuple.object, relation: tuple.relation, subject_id: tuple.subject_id, }) log(
[Ory Keto] Deleted: ${tuple.namespace} ${tuple.object} ${tuple.relation} ${tuple.subject_id}
) } catch (err) { log(“[Ory Keto] Error deleting tuple:“, err.response?.data || err) } } nextPageToken = response.data.next_page_token } while (nextPageToken) }
b
A message from kapa.ai
Based on the knowledge sources provided, a 401 response when using the Ory Keto Relationship API is most likely due to missing or invalid authentication credentials. According to the Ory API documentation, the 
deleteRelationships
and 
getRelationships
endpoints require authentication using an Ory access token, provided via the 
oryAccessToken
method (typically as a Bearer token in the Authorization header) [Ory API Reference – relationship](https://www.ory.sh/docs/reference/api). In your code, you are passing the 
accessToken
to the 
KetoConfiguration
, which should set the Authorization header. However, the knowledge sources do not provide details about the internal workings of the 
@ory/keto-client
package or how it handles the access token. If the token is missing, invalid, or not being sent correctly, the API will return a 401 error. Checklist to debug: - Ensure that 
process.env.ORY_API_KEY
is set and contains a valid Ory access token. - Make sure 
process.env.ORY_API_URL
is correct and points to your Ory Keto or Ory Network endpoint. - Confirm that the access token has not expired and has the necessary permissions. - The API expects the access token for both 
getRelationships
and 
deleteRelationships
calls. If all of the above are correct and you are still receiving a 401, there may be an issue with how the client library is sending the token, or the token itself may not be valid for the Ory Network project you are targeting. The knowledge sources do not provide further details on troubleshooting 401 errors for this specific client library, so if the above steps do not resolve your issue, you may need to consult the Ory Network dashboard to verify your API key or reach out to Ory support. References: - Authentication requirements for relationship API methods [Ory API Reference – relationship](https://www.ory.sh/docs/reference/api)
c
@chilly-king-10285 Should I be instantiating the 
RelationshipsApi
from ``@​ory/keto-client` or from 
@ory/client-fetch
?
b
A message from kapa.ai
Based on the knowledge sources, if you are working specifically with Ory Keto (the permissions and relationship engine), you should instantiate the 
RelationshipApi
from the 
@ory/keto-client
package. The documentation for Ory Keto SDKs lists 
@ory/keto-client
as the JavaScript/TypeScript SDK for integrating with a self-hosted Ory Keto Permission Server or compatible Ory Keto APIs [Ory Keto SDK overview](https://www.ory.sh/docs/keto/sdk/overview). The 
@ory/client-fetch
package is referenced in the context of Ory Identities and the broader Ory Network SDK, not specifically for Keto/Permissions APIs [Identities Get Started](https://www.ory.sh/docs/identities/get-started/setup). There is no mention in the knowledge sources of using 
@ory/client-fetch
for Keto relationship management. In summary: You should use 
@ory/keto-client
for Ory Keto relationship and permission APIs. There is no information in the knowledge sources supporting the use of 
@ory/client-fetch
for this purpose.
c
@chilly-king-10285 I’m using Ory Network
b
A message from kapa.ai
If you are using Ory Network, you should use the SDKs and API clients intended for Ory Network, not the self-hosted Ory Keto SDKs. The knowledge sources specify that the Ory Network SDKs (such as 
@ory/client
or 
@ory/client-fetch
) are designed for use with Ory Network, while 
@ory/keto-client
is for self-hosted Ory Keto instances [Ory SDK overview](https://www.ory.sh/docs/sdk). However, the knowledge sources do not explicitly state that 
@ory/client-fetch
or 
@ory/client
exposes a 
RelationshipApi
for Ory Permissions on Ory Network. The documentation for Ory Network SDKs focuses on identities and general API usage, and refers to the REST API documentation for details. For Ory Keto (self-hosted), the 
@ory/keto-client
package is used for permissions and relationships [Ory Keto SDK overview](https://www.ory.sh/docs/keto/sdk/overview). Summary: - For Ory Network, use the Ory Network SDKs (
@ory/client
or 
@ory/client-fetch
) for supported features. - The knowledge sources do not confirm that 
@ory/client-fetch
provides a 
RelationshipApi
for Ory Permissions. - If you need to manage relationships/permissions on Ory Network and the SDK does not expose the required API, you may need to use the Ory Network REST API directly. If you need further clarification or code examples for Ory Network and permissions, please specify your use case or check the [Ory Network API reference](https://www.ory.sh/docs/reference/api) for the latest details. > The knowledge sources do not contain enough information to confirm which package exposes 
RelationshipApi
for Ory Permissions on Ory Network.
Open in Slack
PreviousNext
Powered by