JWT authentication returns 401 Unauthorized even with a valid token generated using Remark42 algorithm

[edemdev7]

I am trying to integrate Remark42 with JWT authentication, but I keep getting 401 Unauthorized errors when posting comments, even though the JWT token is correctly generated on the backend using the official Remark42 JWT algorithm and claims.

Context

• Remark42 is running via Docker
• AUTH_JWT is enabled
• JWT token is generated server-side using:
  Correct secret
  Proper claims (sub, aud, exp, iat, etc.)
  Algorithm compatible with Remark42 (HS256)
• Token is successfully returned to the frontend
• The frontend sends the token as expected

Despite this, any request requiring authentication (e.g. POST /api/v1/comment) returns:

401 Unauthorized
What works

• Anonymous authentication works correctly using /auth/anonymous/login
• Public endpoints (/api/v1/config, /api/v1/find) work as expected
• JWT token is successfully decoded and verified on my backend

What does not work

• JWT-authenticated requests are rejected by Remark42
• Logs show authentication failure even though the token is present

Remark42 configuration (Docker)

environment:
  SITE: local
  SECRET: dev-secret-remark42-2025
  AUTH_ANON: "true"
  AUTH_JWT: "true"
  DEBUG: "true"

Question

Is there any additional requirement for JWT authentication that is not clearly documented?
For example:

• Specific claim names or formats?
• Required cookie vs Authorization: Bearer header?
• Mandatory aud, iss, or site claim values?

Any clarification or working example would be greatly appreciated. Thank you

[paskal]

Let me convert this to discussion, I feel this is more a configuration issue than a bug. Could you please post logs you're getting on the problem? It's nearly impossible to help you based just on text description.

[paskal]

There's no AUTH_JWT option in remark42—this env var doesn't exist (see available parameters). JWT is used internally by all auth providers, but there's no standalone "JWT authentication mode" you can enable.

If you want to generate tokens externally and have remark42 accept them, you need to match the exact token format it uses:

{
  "iss": "remark42",
  "aud": "local",
  "exp": 1766345532,
  "iat": 1766345232,
  "jti": "some-unique-id",
  "user": {
    "name": "User Name",
    "id": "provider_userid",
    "picture": "https://example.com/avatar.png"
  }
}

Key points:

1. The user claim is required—standard JWT claims like sub won't work
2. aud must match your SITE value (in your case local)
3. Token must be signed with the same SECRET using HS256
4. Send the token via X-JWT header or JWT cookie, not Authorization: Bearer

You can debug remark42-generated and yours JWT tokens using something like https://www.jwt.io. Example for anonymous user on https://remark42.com/demo/:

The built-in auth providers (anonymous, email, oauth) handle all this internally. If you need custom integration, you'll have to generate tokens matching this exact format.

See tests in backend/app/rest/api/rest_test.go for working examples of token structure.

[edemdev7]

@paskal

[paskal]

I propose to try solving it with any LLM with remark42 code ar hand, you are missing some foundational steps in what you are trying to achieve. It would be faster and more effective than moving one step ahead and posting logs back to me without reading them.

I'll try to write a doc on how to attach custom authentication to remark42 end to end, but I'll have time to do so not earlier than in three weeks.

[KOSSOKO]

I propose to try solving it with any LLM with remark42 code ar hand, you are missing some foundational steps in what you are trying to achieve. It would be faster and more effective than moving one step ahead and posting logs back to me without reading them.

I'll try to write a doc on how to attach custom authentication to remark42 end to end, but I'll have time to do so not earlier than in three weeks.

I'm also interested by this doc once ready. TY

[edemdev7]

@paskal the doc is available now ?

[delros]

~~Effectively, I was able to set up the external authenticated users to be authorized in Remark42 as per the recommendations above. However, I'm struggling quite a bit with nominating a user to the admin role. I tried to rely on the ADMIN_SHARED_ID env variable with an an explicit set of user ID (as per the response from api/v1/userthe user ID has the "user_" prefix there), or include the "admin": true in the user JWT claim.

@paskal, could you please advice how correctly admin permissions can be nominated in such case with custom authentication? ~~

Oh, just saw on you screenshot above that "admin" flag should be within "attrs" prop under the user claim. Issue now resolved on my side. Thanks :)