Errova

Troubleshooting: Invalid Signature or Origin Rejected

Fix 401 signature failures and 403 browser-origin rejections with canonical payload, secret, and allowlist checks.

401 Invalid Signature

  • Make sure the DSN key type is actually server_signed.
  • Use the exact one-time secret returned during key creation or rotation.
  • Build the canonical payload in this order: timestamp, nonce, public key, SHA256 of the raw body bytes.
  • Sign the exact bytes that are sent over the wire. Re-serialization after signing will break the request.
  • Keep timestamp skew within the allowed window and never reuse a nonce.
  • Check proxies, gateways, and middleware that may rewrite request bodies or strip headers.

403 Origin Rejected

  • Check the project’s origin mode: off, report_only, or enforce.
  • Add exact scheme + host + port origins only. Do not include a path, query string, or fragment.
  • For local development, include every variant you actually use such as localhost and 127.0.0.1.
  • If rollout is still underway, switch back to report_only until the allowlist is clean.

Fast Isolation Steps

  • Re-run the exact curl example from Direct Ingest API.
  • If curl works and the app does not, compare headers and the final serialized body byte-for-byte.
  • If neither works, rotate the key and verify the new secret is deployed everywhere.