Errors
auth_missing_credentials
401 — the request reached an authenticated endpoint without any Authorization header (or with an empty one).
Last updated
Cause
Matter returns auth_missing_credentials when an authenticated endpoint receives a request whose Authorization header is absent, empty, or syntactically malformed (for example, missing the Bearer prefix). Every endpoint outside the small set of public health probes requires a bearer token, even those that read only metadata about the calling account.
A common source is a reverse proxy or CDN stripping the header on its way through. Another is a client library that has been initialised without a secret because the environment variable was never set in the deploy. Browser callers that try to use Matter directly will see this on every request: the browser is never an authorised principal, and pk_* publishable keys are still tokens that must be sent.
Fix
- Confirm the
Authorizationheader is present on the wire. Usecurl -vor the request inspector in your HTTP client to see the headers Matter receives. - If the header is being stripped, audit your edge tier. CDN configurations sometimes drop
Authorizationfor cache safety — add it to the allowlist. - If the caller is a server process, verify the secret is loaded from your secrets manager into the running container. A blank env var produces a blank header.
- The shape is exactly
Authorization: Bearer <token>with one ASCII space. No quoting, noBasic, no other schemes.
Related codes
auth_token_invalid— the header is present but the token doesn't resolve.auth_token_revoked— the header is present and the token is known but killed.auth_token_expired— the header is present and the token has timed out.