Error when using Custom JWT Authentication

I have configured my app in app services to use custom JWT authentication. I have provided the JWK uri ( but I am receiving the following error when I try to login from my node app:


failed to fetch JWK from URI: failed to extract from map: failed to construct key from map: failed to extract key from map: failed to extract header values: failed to set value for key x5c: invalid value for x5c key: failed to parse certificate: x509: malformed serial number

Any advice?

Hi @Chris_Lawrence,
Could you provide some more details:

  • Which SDK do you use?
  • How do you generate your custom JWT token?
  • Are you sure that you have set the same “kid”:“jwk-test-6009ec4b-3e5b-44f4-89ca-5f3cce226379” as a header to your issued JWT?
    I seems that the JWT that you provide doesn’t match the JWK set.

Thanks for the quick reply @Desislava_St_Stefanova

Here is more info:

  • Which SDK do you use?

I’m using the Node sdk

  • How do you generate your custom JWT token?

The JWT is coming directly from our authentication provider–Stytch. The JWK URI I’m using and posted a link to in the OP is an endpoint to obtain their JWK that is used to validate the token.

  • Are you sure that you have set the same “kid”:“jwk-test-6009ec4b-3e5b-44f4-89ca-5f3cce226379” as a header to your issued JWT?

I put the JWT in and receive the following head information:

Here is a snippet of my code I’m using to auth in case this is any help

    const app = new Realm.App({ id: process.env.REALM_APP_ID! })
    const creds = Realm.Credentials.jwt("JWT_FROM_AUTH_PROVIDER")
      .then((user) => {
        // Handle authenticated user...
      .catch((err) => {
        logger.error('Error during realm app authentication', err)

Hi @Chris_Lawrence,
I have forwarded your question to the App Services team, but there seems to be some issue with the serial number of the certificate that is used to sign the JWT.
The only thing I can suggest is that you can check whether you get the same error if you use public key verification. You can convert your JWK to public key using some of the available “JWK to PEM converter”, then you can configure the Atlas App Service using the “Manually specify signing keys” option.
Looking forward your response.

1 Like

Hey @Desislava_St_Stefanova

I have some good news! I brought this same issue up with Stytch and they were able to reproduce it within Mongo. They believe it is an error with the way they are formatting their JWK. They should have a fix out soon.

I was able to convert the JWK into PEM format and submit that to my app as a work around. Authentication is now working.

I appreciated the help with this issue.


I’m glad to hear that.
It’s nice that the workaround works.
Good luck with your project, @Chris_Lawrence!


This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.