Error: Invalid JWT on /admin routes

[DuncanLHS]

Bug report

• I confirm this is a bug with Supabase, not with my own application.
• I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

I'm getting the following error with both supabase.auth.admin.createUser() and supabase.auth.admin.listUsers() when using the new publishable and secret keys with supabase-js. I have confirmed the same error with CURL requests that try to mimic what supabase-js is doing.
Error: invalid JWT: unable to parse or verify signature, token is malformed: token contains an invalid number of segments

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

1. Get Status:

npx supabase status
WARN: no SMS provider is enabled. Disabling phone login
Stopped services: [supabase_imgproxy_myproject supabase_analytics_myproject supabase_vector_myproject supabase_pooler_myproject]
supabase local development setup is running.

         API URL: http://127.0.0.1:54321
     GraphQL URL: http://127.0.0.1:54321/graphql/v1
  S3 Storage URL: http://127.0.0.1:54321/storage/v1/s3
         MCP URL: http://127.0.0.1:54321/mcp
    Database URL: postgresql://postgres:postgres@127.0.0.1:54322/postgres
      Studio URL: http://127.0.0.1:54323
     Mailpit URL: http://127.0.0.1:54324
 Publishable key: sb_publishable_ACJWlzQHlZjBrEguHvfOxg_3BJgxAaH
      Secret key: sb_secret_N7UND0UgjKTVK-Uodkm0Hg_xSvEMPvz
   S3 Access Key: 625729a08b95bf1b7ff351a663f3a23c
   S3 Secret Key: 850181e4652dd023b7a98c58ae0d2d34bd487ee0cc3254aed6eda37307425907
       S3 Region: local

2. Set SUPABASE_SECRET_KEY

SUPABASE_SECRET_KEY=sb_secret_N7UND0UgjKTVK-Uodkm0Hg_xSvEMPvz

3. Mimic supabase.auth.signup() behaviour (non-admin route). All ok.

curl -X POST 'http://127.0.0.1:54321/auth/v1/signup' -H "apikey: SUPABASE_SECRET_KEY" -H "Content-Type: application/json" -d '{
  "email": "someone@email.com",
  "password": "wxVNTSqjaWANbCWdVlGc"
}'
{"access_token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhYWwiOiJhYWwxIiwiYW1yIjpbeyJtZXRob2QiOiJwYXNzd29yZCIsInRpbWVzdGFtcCI6MTc2MDM1MTAwMH1dLCJhcHBfbWV0YWRhdGEiOnsicHJvdmlkZXIiOiJlbWFpbCIsInByb3ZpZGVycyI6WyJlbWFpbCJdfSwiYXVkIjoiYXV0aGVudGljYXRlZCIsImVtYWlsIjoic29tZW9uZUBlbWFpbC5jb20iLCJleHAiOjE3NjAzNTQ2MDAsImlhdCI6MTc2MDM1MTAwMCwiaXNfYW5vbnltb3VzIjpmYWxzZSwiaXNzIjoiaHR0cDovLzEyNy4wLjAuMTo1NDMyMS9hdXRoL3YxIiwicGhvbmUiOiIiLCJyb2xlIjoiYXV0aGVudGljYXRlZCIsInNlc3Npb25faWQiOiI0NjhkNjBhZS02N2ZiLTRhNWUtYjkzMy03N2IyNTgxMTc1ZTAiLCJzdWIiOiI1Y2UxODZiNS1kMDczLTRjMjYtOGMxMS1jZDdiOTE3YWMzNjYiLCJ1c2VyX21ldGFkYXRhIjp7ImVtYWlsIjoic29tZW9uZUBlbWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwicGhvbmVfdmVyaWZpZWQiOmZhbHNlLCJzdWIiOiI1Y2UxODZiNS1kMDczLTRjMjYtOGMxMS1jZDdiOTE3YWMzNjYifSwidXNlcl9yb2xlcyI6W119.Wb1lgabmutOjyEBy3kZDyCIO6c8gl-DuYqWMNlAVz3s","token_type":"bearer","expires_in":3600,"expires_at":1760354600,"refresh_token":"wrfmhsuor3ox","user":{"id":"5ce186b5-d073-4c26-8c11-cd7b917ac366","aud":"authenticated","role":"authenticated","email":"someone@email.com","email_confirmed_at":"2025-10-13T10:23:20.84060849Z","phone":"","last_sign_in_at":"2025-10-13T10:23:20.847954523Z","app_metadata":{"provider":"email","providers":["email"]},"user_metadata":{"email":"someone@email.com","email_verified":true,"phone_verified":false,"sub":"5ce186b5-d073-4c26-8c11-cd7b917ac366"},"identities":[{"identity_id":"91f7b69d-c7a4-42ba-9162-5477c5266ecc","id":"5ce186b5-d073-4c26-8c11-cd7b917ac366","user_id":"5ce186b5-d073-4c26-8c11-cd7b917ac366","identity_data":{"email":"someone@email.com","email_verified":true,"phone_verified":false,"sub":"5ce186b5-d073-4c26-8c11-cd7b917ac366"},"provider":"email","last_sign_in_at":"2025-10-13T10:23:20.835940046Z","created_at":"2025-10-13T10:23:20.835979Z","updated_at":"2025-10-13T10:23:20.835979Z","email":"someone@email.com"}],"created_at":"2025-10-13T10:23:20.830296Z","updated_at":"2025-10-13T10:23:20.850641Z","is_anonymous":false}}

4. Mimic supabase.auth.admin.createUser() behaviour (admin route). Fails with JWT Error

curl -X POST 'http://127.0.0.1:54321/auth/v1/admin/users' -H "apiKey: SUPABASE_SECRET_KEY" -H "Authorization: Bearer SUPABASE_SECRET_KEY" -H "Content-Type: application/json" -d '{
  "email": "someoneelse@email.com",
  "password": "wxVNTSqjaWANbCWdVlGc"
}'
{"code":403,"error_code":"bad_jwt","msg":"invalid JWT: unable to parse or verify signature, token is malformed: token contains an invalid number of segments"}

Expected behavior

No JWT error

System information

• OS: Windows
• Version of supabase-js: 2.75.0
• Version of auth image: supabase/gotrue:v2.179.0
• supabase-cli: 2.51.0

Additional context

Not sure if this is associated with any particular version, I have only just migrated my project to the new keys but am suspicious that this has not been reported earlier so may be something up with my setup/config.toml (though I did search the docs and found no changes needed to support the new keys).

[kobakei]

I have the same issue.
In my environment, downgrading the Supabase CLI to version 2.48.3 worked as a workaround.

[davidashman]

Same issue here. Just started up today for me.

[Zoopast]

Same, seems like an error on newer versions, 2.48.3 works fine.

[rw-allitclub]

I tested few versions and 2.50.2 is the most recent one which still works for me. In 2.50.3 - my tests fail on user management.