Invalid API key or token

[thinkaliker]

I'm getting a 401 "Invalid API key or token" error from the worker logs. I've performed the curl manually and was able to reproduce the issue (since the Unifi console only runs the command once every 10 minutes). I also performed the token check when I made the token, and that one passed successfully. I'm not sure what I'm doing wrong.

Log output

Curl command

Here's my configuration:
API token configuration

Unifi Console configuration

[qqoicq]

I also encountered this issue. I’m using version 9.0.108.

[burgonyapure]

I have the same error, version 9.0.108.
Edit: RTFM
Create USER API TOKEN not Acoount token
https://developers.cloudflare.com/fundamentals/api/get-started/create-token/

[willswire]

@thinkaliker and @qqoicq, can you confirm you're using a User API token and not an Account API token?

[thinkaliker]

@willswire Yes, I thought made the token using https://dash.cloudflare.com/profile/api-tokens, which is the only place I could find to make an API key. But because I'm not sure, I've gone ahead and remade a new fresh key, and now it is complaining about the API key containing an underscore.

Error updating DNS record: InvalidCharacterError: atob() called with invalid base64-encoded data. (Only whitespace, '+', '/', alphanumeric ASCII, and up to two terminal '=' signs when the input data length is divisible by 4 are allowed.)

I'm not sure why remaking the key would have fixed the initial issue, but I'll take a different error over that one. That being said, I do have TWO keys now - I believe one User API key for the actual worker deployment, and one User API key for JUST the DNS entry. If you click deploy with Wrangler it'll prompt you to go make an API key, so I think maybe some guidance to not confuse the two keys would be good?

[gh0sti]

I just tried setting this up from scratch and I get a missing API key when I copy/paste it into the worker as described in the step-by-step.

[chucklebrother]

Apologies in advance if you have already verified what I am going to cover here, I’m approaching this from my perspective of ben new to CF workers, and only having passing familiarity with CF's API

That the curl command is failing might indicate the issue is outside of the worker, after all if you cant make the API call manually the worker is unlikely to succeed either.

Given what you are reporting it seems like both you and the worker are successfully making an API call to update a DNS record but in both cases CF is failing to authorise the action because of the API token presented and the API endpoint is returning .

I wonder have you checked you are not using the API token you generated for the GH actin that deploy's the worker?

You should have two (2) API tokens created for two different purposes:

• One for use to deploy and manage the worker.
• The other that you use in your unifi configuration as secret that gets passed to the worker, that it uses to authenticate to the API endpoint and make the change.

If you have only created the token used to deploy/manage the worker, or have created a token that has DNS edit permissions but have muddled up the API tokens and are inadvertently using the worker deploy token that could explain your issue.

[jhanshew]

Getting same result reported by @thinkaliker, above. Verified creation and use of User API Token. This is a new Unifi setup running lastest OS (4.1.13).

Error updating DNS record: InvalidCharacterError: atob() called with invalid base64-encoded data. (Only whitespace, '+', '/', alphanumeric ASCII, and up to two terminal '=' signs when the input data length is divisible by 4 are allowed.)

[twobeass]

same error here.... Created a DNS Edit Token twice to double check, but still getting "Error updating DNS record: API token missing." in workers log

[cygnim]

I can verify the utility is working as expected. I did not use the Deploy Worker option though, I deployed via Wrangler CLI. You all may want to try this method as well- it's not difficult.

[favorit5503]

I have the same issues with either option. Most of the time i get a Missing API token.

[jhanshew]

Started from scratch last night using Wrangler CLI (as I did last time), following each step meticulously. Results in "Missing API Token".

[favorit5503]

@jhanshew Try with this. I got it working with these settings. With the deploy.

and for the unifi i used this.

[favorit5503]

Seems like the API Token changed a small bit. I needed to change the DNS from read to edit.

[thinkaliker]

I followed @favorit5503 's suggestion of including those three specific permissions as part of the existing API key and I got it to work. I only had DNS settings/DNS previously. I think the Zone:Zone setting is what made it work.

I referenced this link to figure out how Unifi is actually calling custom DDNS. Using that link, you can verify that Unifi has your correct variables in your /run/ddns-<interface>-inadyne.conf:

You can kick off a manual DDNS run by running (replacing eth4 with your corresponding interface):

/usr/sbin/inadyn -n -s -C -f /run/ddns-eth4-inadyn.conf -1 -l debug --foreground --force

If you're attempting to test with a Curl command, you'll need to add to your API token into the following text format:

<cloudflare login email>:<API token>

and convert the result into base64 - the resulting string should end in an =. Then insert that into the "Authorization: Bearer " -H flag.

[jhanshew]

Can confirm. Above User API token permissions edits suggested by @favorit5503 worked like a charm. Thank you, sir!

[qqoicq]

@willswire I confirm that I am using an API token