[{"data":1,"prerenderedAt":1372},["ShallowReactive",2],{"navigation":3,"/operations/troubleshooting":145,"/operations/troubleshooting-surround":1367},[4,28,49,88,101,127],{"title":5,"path":6,"stem":7,"children":8,"icon":27},"Getting Started","/getting-started","1.getting-started/1.index",[9,11,15,19,23],{"title":10,"path":6,"stem":7},"Introduction",{"title":12,"path":13,"stem":14},"Working with Agents","/getting-started/working-with-agents","1.getting-started/2.working-with-agents",{"title":16,"path":17,"stem":18},"Setup a Service Provider","/getting-started/setup-service-provider","1.getting-started/3.setup-service-provider",{"title":20,"path":21,"stem":22},"Setup an Identity Provider","/getting-started/setup-identity-provider","1.getting-started/4.setup-identity-provider",{"title":24,"path":25,"stem":26},"Developers","/getting-started/developers","1.getting-started/5.developers",false,{"title":29,"icon":27,"path":30,"stem":31,"children":32,"page":27},"Guides","/guides","2.guides",[33,37,41,45],{"title":34,"path":35,"stem":36},"How It Works","/guides/how-it-works","2.guides/1.how-it-works",{"title":38,"path":39,"stem":40},"Capabilities Guide","/guides/capabilities-guide","2.guides/2.capabilities-guide",{"title":42,"path":43,"stem":44},"End-to-End Tutorial","/guides/end-to-end-tutorial","2.guides/3.end-to-end-tutorial",{"title":46,"path":47,"stem":48},"Delegation Guide","/guides/delegation-guide","2.guides/4.delegation-guide",{"title":50,"path":51,"stem":52,"children":53,"icon":27},"Ecosystem","/ecosystem","3.ecosystem/1.index",[54,56,60,64,68,72,76,80,84],{"title":55,"path":51,"stem":52},"Overview",{"title":57,"path":58,"stem":59},"grapes CLI","/ecosystem/grapes","3.ecosystem/2.grapes",{"title":61,"path":62,"stem":63},"shapes CLI","/ecosystem/shapes","3.ecosystem/3.shapes",{"title":65,"path":66,"stem":67},"escapes","/ecosystem/escapes","3.ecosystem/4.escapes",{"title":69,"path":70,"stem":71},"OpenApe Proxy","/ecosystem/proxy","3.ecosystem/5.proxy",{"title":73,"path":74,"stem":75},"OpenApe Browser","/ecosystem/browser","3.ecosystem/6.browser",{"title":77,"path":78,"stem":79},"OpenApe Auth","/ecosystem/auth","3.ecosystem/7.auth",{"title":81,"path":82,"stem":83},"OpenApe Grants","/ecosystem/grants","3.ecosystem/8.grants",{"title":85,"path":86,"stem":87},"nuxt-auth-sp","/ecosystem/nuxt-auth-sp","3.ecosystem/9.nuxt-auth-sp",{"title":89,"icon":27,"path":90,"stem":91,"children":92,"page":27},"Security","/security","4.security",[93,97],{"title":94,"path":95,"stem":96},"Compliance","/security/compliance","4.security/1.compliance",{"title":98,"path":99,"stem":100},"Threat Model","/security/threat-model","4.security/2.threat-model",{"title":102,"path":103,"stem":104,"children":105,"icon":27},"Reference","/reference","5.reference/1.index",[106,107,111,115,119,123],{"title":102,"path":103,"stem":104},{"title":108,"path":109,"stem":110},"IdP Configuration","/reference/idp-configuration","5.reference/2.idp-configuration",{"title":112,"path":113,"stem":114},"SP Configuration","/reference/sp-configuration","5.reference/3.sp-configuration",{"title":116,"path":117,"stem":118},"API Endpoints","/reference/api-endpoints","5.reference/4.api-endpoints",{"title":120,"path":121,"stem":122},"escapes Config","/reference/escapes-config","5.reference/5.escapes-config",{"title":124,"path":125,"stem":126},"Proxy Config","/reference/proxy-config","5.reference/6.proxy-config",{"title":128,"path":129,"stem":130,"children":131,"icon":27},"Operations","/operations","6.operations/1.index",[132,133,137,141],{"title":128,"path":129,"stem":130},{"title":134,"path":135,"stem":136},"Deployment","/operations/deployment","6.operations/2.deployment",{"title":138,"path":139,"stem":140},"Troubleshooting","/operations/troubleshooting","6.operations/3.troubleshooting",{"title":142,"path":143,"stem":144},"Monitoring","/operations/monitoring","6.operations/4.monitoring",{"id":146,"title":138,"body":147,"description":1361,"extension":1362,"links":1363,"meta":1364,"navigation":228,"path":139,"seo":1365,"stem":140,"__hash__":1366},"docs/6.operations/3.troubleshooting.md",{"type":148,"value":149,"toc":1326},"minimark",[150,154,159,164,172,183,188,242,245,269,276,279,283,287,292,301,309,381,387,391,396,404,412,490,494,499,507,512,514,518,522,527,540,544,560,564,569,578,582,624,634,638,643,648,653,655,659,663,671,676,680,716,722,726,734,739,743,754,783,787,794,799,804,806,810,814,819,824,829,866,870,875,880,885,918,925,929,936,941,946,1028,1030,1032,1036,1043,1048,1172,1174,1178,1182,1187,1203,1208,1239,1249,1251,1255,1259,1264,1271,1275,1293,1297,1305,1310,1314,1322],[151,152,138],"h1",{"id":153},"troubleshooting",[155,156,158],"h2",{"id":157},"dns-discovery","DNS Discovery",[160,161,163],"h3",{"id":162},"no-idp-found-for-domain","\"No IdP found for domain\"",[165,166,167,171],"p",{},[168,169,170],"strong",{},"Symptom:"," Login fails with \"Could not discover IdP for this email domain.\"",[165,173,174,177,178,182],{},[168,175,176],{},"Cause:"," Missing or misconfigured ",[179,180,181],"code",{},"_ddisa"," TXT record.",[165,184,185],{},[168,186,187],{},"Fix:",[189,190,195],"pre",{"className":191,"code":192,"language":193,"meta":194,"style":194},"language-bash shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","# Check if the record exists\ndig _ddisa.example.com TXT +short\n\n# Expected output:\n# \"v=ddisa1 idp=https://id.example.com; mode=open\"\n","bash","",[179,196,197,206,223,230,236],{"__ignoreMap":194},[198,199,202],"span",{"class":200,"line":201},"line",1,[198,203,205],{"class":204},"sHwdD","# Check if the record exists\n",[198,207,209,213,217,220],{"class":200,"line":208},2,[198,210,212],{"class":211},"sBMFI","dig",[198,214,216],{"class":215},"sfazB"," _ddisa.example.com",[198,218,219],{"class":215}," TXT",[198,221,222],{"class":215}," +short\n",[198,224,226],{"class":200,"line":225},3,[198,227,229],{"emptyLinePlaceholder":228},true,"\n",[198,231,233],{"class":200,"line":232},4,[198,234,235],{"class":204},"# Expected output:\n",[198,237,239],{"class":200,"line":238},5,[198,240,241],{"class":204},"# \"v=ddisa1 idp=https://id.example.com; mode=open\"\n",[165,243,244],{},"If no record is returned:",[246,247,248,252,263],"ol",{},[249,250,251],"li",{},"Add the TXT record to your DNS provider",[249,253,254,255,262],{},"Wait for propagation (check at ",[256,257,261],"a",{"href":258,"rel":259},"https://dnschecker.org",[260],"nofollow","dnschecker.org",")",[249,264,265,266],{},"Verify the format: ",[179,267,268],{},"v=ddisa1 idp=https://...; mode=open",[165,270,271,272,275],{},"If the SP has a ",[179,273,274],{},"fallbackIdpUrl"," configured, users from domains without DDISA records will be redirected there.",[277,278],"hr",{},[155,280,282],{"id":281},"passkey-registration","Passkey Registration",[160,284,286],{"id":285},"registration-failed-origin-mismatch","\"Registration failed: origin mismatch\"",[165,288,289,291],{},[168,290,170],{}," Passkey registration fails immediately.",[165,293,294,296,297,300],{},[168,295,176],{}," The ",[179,298,299],{},"rpOrigin"," in the IdP config doesn't match the browser's origin.",[165,302,303,305,306,308],{},[168,304,187],{}," Ensure ",[179,307,299],{}," exactly matches the URL in the browser address bar:",[189,310,314],{"className":311,"code":312,"language":313,"meta":194,"style":194},"language-typescript shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","// ❌ Wrong\nrpOrigin: 'https://id.example.com/'  // trailing slash\nrpOrigin: 'http://id.example.com'    // wrong protocol\n\n// ✅ Correct\nrpOrigin: 'https://id.example.com'\n","typescript",[179,315,316,321,341,357,361,366],{"__ignoreMap":194},[198,317,318],{"class":200,"line":201},[198,319,320],{"class":204},"// ❌ Wrong\n",[198,322,323,325,329,332,335,338],{"class":200,"line":208},[198,324,299],{"class":211},[198,326,328],{"class":327},"sMK4o",":",[198,330,331],{"class":327}," '",[198,333,334],{"class":215},"https://id.example.com/",[198,336,337],{"class":327},"'",[198,339,340],{"class":204},"  // trailing slash\n",[198,342,343,345,347,349,352,354],{"class":200,"line":225},[198,344,299],{"class":211},[198,346,328],{"class":327},[198,348,331],{"class":327},[198,350,351],{"class":215},"http://id.example.com",[198,353,337],{"class":327},[198,355,356],{"class":204},"    // wrong protocol\n",[198,358,359],{"class":200,"line":232},[198,360,229],{"emptyLinePlaceholder":228},[198,362,363],{"class":200,"line":238},[198,364,365],{"class":204},"// ✅ Correct\n",[198,367,369,371,373,375,378],{"class":200,"line":368},6,[198,370,299],{"class":211},[198,372,328],{"class":327},[198,374,331],{"class":327},[198,376,377],{"class":215},"https://id.example.com",[198,379,380],{"class":327},"'\n",[165,382,383,384],{},"For local development: ",[179,385,386],{},"rpOrigin: 'http://localhost:3000'",[160,388,390],{"id":389},"registration-failed-rpid-mismatch","\"Registration failed: rpID mismatch\"",[165,392,393,395],{},[168,394,170],{}," Passkey registration fails after biometric prompt.",[165,397,398,296,400,403],{},[168,399,176],{},[179,401,402],{},"rpID"," doesn't match the origin's domain.",[165,405,406,408,409,411],{},[168,407,187],{}," ",[179,410,402],{}," must be the domain (without protocol or port):",[189,413,415],{"className":311,"code":414,"language":313,"meta":194,"style":194},"// ❌ Wrong\nrpID: 'https://id.example.com'  // includes protocol\nrpID: 'id.example.com:3000'     // includes port\n\n// ✅ Correct\nrpID: 'id.example.com'\nrpID: 'localhost'  // for development\n",[179,416,417,421,436,452,456,460,473],{"__ignoreMap":194},[198,418,419],{"class":200,"line":201},[198,420,320],{"class":204},[198,422,423,425,427,429,431,433],{"class":200,"line":208},[198,424,402],{"class":211},[198,426,328],{"class":327},[198,428,331],{"class":327},[198,430,377],{"class":215},[198,432,337],{"class":327},[198,434,435],{"class":204},"  // includes protocol\n",[198,437,438,440,442,444,447,449],{"class":200,"line":225},[198,439,402],{"class":211},[198,441,328],{"class":327},[198,443,331],{"class":327},[198,445,446],{"class":215},"id.example.com:3000",[198,448,337],{"class":327},[198,450,451],{"class":204},"     // includes port\n",[198,453,454],{"class":200,"line":232},[198,455,229],{"emptyLinePlaceholder":228},[198,457,458],{"class":200,"line":238},[198,459,365],{"class":204},[198,461,462,464,466,468,471],{"class":200,"line":368},[198,463,402],{"class":211},[198,465,328],{"class":327},[198,467,331],{"class":327},[198,469,470],{"class":215},"id.example.com",[198,472,380],{"class":327},[198,474,476,478,480,482,485,487],{"class":200,"line":475},7,[198,477,402],{"class":211},[198,479,328],{"class":327},[198,481,331],{"class":327},[198,483,484],{"class":215},"localhost",[198,486,337],{"class":327},[198,488,489],{"class":204},"  // for development\n",[160,491,493],{"id":492},"passkeys-require-https","\"Passkeys require HTTPS\"",[165,495,496,498],{},[168,497,170],{}," Passkey registration fails in production but works locally.",[165,500,501,503,504,506],{},[168,502,176],{}," WebAuthn requires a secure context. ",[179,505,484],{}," is exempt, but production must use HTTPS.",[165,508,509,511],{},[168,510,187],{}," Ensure your IdP is served over HTTPS with a valid certificate.",[277,513],{},[155,515,517],{"id":516},"oauth-login-flow","OAuth / Login Flow",[160,519,521],{"id":520},"oauth-callback-error-pkce-mismatch","\"OAuth callback error: PKCE mismatch\"",[165,523,524,526],{},[168,525,170],{}," Login redirects back to SP but fails with a code exchange error.",[165,528,529,531,532,535,536,539],{},[168,530,176],{}," The PKCE ",[179,533,534],{},"code_verifier"," doesn't match the ",[179,537,538],{},"code_challenge"," sent during authorization.",[165,541,542],{},[168,543,187],{},[545,546,547,550,557],"ul",{},[249,548,549],{},"Clear browser cookies and try again (session state may be corrupted)",[249,551,552,553,556],{},"Ensure ",[179,554,555],{},"sessionSecret"," is consistent across deployments (don't rotate mid-session)",[249,558,559],{},"Check that the SP is not behind a load balancer with inconsistent sticky sessions",[160,561,563],{"id":562},"oauth-callback-error-audience-mismatch","\"OAuth callback error: audience mismatch\"",[165,565,566,568],{},[168,567,170],{}," Login fails with \"JWT audience does not match client ID.\"",[165,570,571,573,574,577],{},[168,572,176],{}," The SP's ",[179,575,576],{},"clientId"," doesn't match what the IdP expects.",[165,579,580],{},[168,581,187],{},[189,583,585],{"className":311,"code":584,"language":313,"meta":194,"style":194},"// SP config — clientId must match the SP's public domain\nopenapeSp: {\n  clientId: 'app.example.com'  // not 'https://app.example.com'\n}\n",[179,586,587,592,602,619],{"__ignoreMap":194},[198,588,589],{"class":200,"line":201},[198,590,591],{"class":204},"// SP config — clientId must match the SP's public domain\n",[198,593,594,597,599],{"class":200,"line":208},[198,595,596],{"class":211},"openapeSp",[198,598,328],{"class":327},[198,600,601],{"class":327}," {\n",[198,603,604,607,609,611,614,616],{"class":200,"line":225},[198,605,606],{"class":211},"  clientId",[198,608,328],{"class":327},[198,610,331],{"class":327},[198,612,613],{"class":215},"app.example.com",[198,615,337],{"class":327},[198,617,618],{"class":204},"  // not 'https://app.example.com'\n",[198,620,621],{"class":200,"line":232},[198,622,623],{"class":327},"}\n",[165,625,626,627,629,630,633],{},"In development, ",[179,628,576],{}," auto-derives to ",[179,631,632],{},"localhost:PORT",".",[160,635,637],{"id":636},"oauth-callback-error-expired-authorization-code","\"OAuth callback error: expired authorization code\"",[165,639,640,642],{},[168,641,170],{}," Login fails after a long delay between IdP auth and SP callback.",[165,644,645,647],{},[168,646,176],{}," Authorization codes expire after 60 seconds.",[165,649,650,652],{},[168,651,187],{}," Retry the login. If the problem persists, check for network latency between SP and IdP.",[277,654],{},[155,656,658],{"id":657},"agent-authentication","Agent Authentication",[160,660,662],{"id":661},"agent-not-found","\"Agent not found\"",[165,664,665,408,667,670],{},[168,666,170],{},[179,668,669],{},"/api/agent/challenge"," returns 404.",[165,672,673,675],{},[168,674,176],{}," Agent not enrolled, or enrolled with a different email/ID.",[165,677,678],{},[168,679,187],{},[189,681,683],{"className":191,"code":682,"language":193,"meta":194,"style":194},"# List enrolled agents\ncurl https://id.example.com/api/admin/agents \\\n  -H \"Authorization: Bearer \u003Cmanagement-token>\"\n",[179,684,685,690,702],{"__ignoreMap":194},[198,686,687],{"class":200,"line":201},[198,688,689],{"class":204},"# List enrolled agents\n",[198,691,692,695,698],{"class":200,"line":208},[198,693,694],{"class":211},"curl",[198,696,697],{"class":215}," https://id.example.com/api/admin/agents",[198,699,701],{"class":700},"sTEyZ"," \\\n",[198,703,704,707,710,713],{"class":200,"line":225},[198,705,706],{"class":215},"  -H",[198,708,709],{"class":327}," \"",[198,711,712],{"class":215},"Authorization: Bearer \u003Cmanagement-token>",[198,714,715],{"class":327},"\"\n",[165,717,718,719,633],{},"Verify the agent's email matches what you're sending in ",[179,720,721],{},"agent_id",[160,723,725],{"id":724},"invalid-signature","\"Invalid signature\"",[165,727,728,408,730,733],{},[168,729,170],{},[179,731,732],{},"/api/agent/authenticate"," returns 401.",[165,735,736,738],{},[168,737,176],{}," The signature doesn't match the registered public key.",[165,740,741],{},[168,742,187],{},[246,744,745,748,751],{},[249,746,747],{},"Verify you're signing the exact challenge string (no extra newline or whitespace)",[249,749,750],{},"Ensure you're using the correct private key (matching the enrolled public key)",[249,752,753],{},"Check that the key format is Ed25519 (not RSA or ECDSA)",[189,755,757],{"className":191,"code":756,"language":193,"meta":194,"style":194},"# Verify key type\nssh-keygen -l -f ~/.ssh/agent_key\n# Should show: 256 SHA256:... (ED25519)\n",[179,758,759,764,778],{"__ignoreMap":194},[198,760,761],{"class":200,"line":201},[198,762,763],{"class":204},"# Verify key type\n",[198,765,766,769,772,775],{"class":200,"line":208},[198,767,768],{"class":211},"ssh-keygen",[198,770,771],{"class":215}," -l",[198,773,774],{"class":215}," -f",[198,776,777],{"class":215}," ~/.ssh/agent_key\n",[198,779,780],{"class":200,"line":225},[198,781,782],{"class":204},"# Should show: 256 SHA256:... (ED25519)\n",[160,784,786],{"id":785},"challenge-expired","\"Challenge expired\"",[165,788,789,408,791,793],{},[168,790,170],{},[179,792,732],{}," returns 401 with \"expired challenge.\"",[165,795,796,798],{},[168,797,176],{}," Challenges expire after 60 seconds.",[165,800,801,803],{},[168,802,187],{}," Request a new challenge and authenticate within 60 seconds. Ensure system clocks are synchronized (NTP).",[277,805],{},[155,807,809],{"id":808},"grants","Grants",[160,811,813],{"id":812},"grant-already-decided","\"Grant already decided\"",[165,815,816,818],{},[168,817,170],{}," Approving or denying a grant returns 400.",[165,820,821,823],{},[168,822,176],{}," The grant was already approved, denied, or revoked.",[165,825,826,828],{},[168,827,187],{}," Check the grant status:",[189,830,832],{"className":191,"code":831,"language":193,"meta":194,"style":194},"curl https://id.example.com/api/grants/\u003Cid> \\\n  -H \"Authorization: Bearer \u003Ctoken>\"\n",[179,833,834,855],{"__ignoreMap":194},[198,835,836,838,841,844,847,850,853],{"class":200,"line":201},[198,837,694],{"class":211},[198,839,840],{"class":215}," https://id.example.com/api/grants/",[198,842,843],{"class":327},"\u003C",[198,845,846],{"class":215},"i",[198,848,849],{"class":700},"d",[198,851,852],{"class":327},">",[198,854,701],{"class":700},[198,856,857,859,861,864],{"class":200,"line":208},[198,858,706],{"class":215},[198,860,709],{"class":327},[198,862,863],{"class":215},"Authorization: Bearer \u003Ctoken>",[198,865,715],{"class":327},[160,867,869],{"id":868},"not-authorized-to-approve","\"Not authorized to approve\"",[165,871,872,874],{},[168,873,170],{}," Approving a grant returns 403.",[165,876,877,879],{},[168,878,176],{}," The logged-in user is not the agent's owner, approver, or an admin.",[165,881,882,884],{},[168,883,187],{}," Check who the agent's owner/approver is:",[189,886,888],{"className":191,"code":887,"language":193,"meta":194,"style":194},"curl https://id.example.com/api/admin/agents/\u003Cagent-id> \\\n  -H \"Authorization: Bearer \u003Cmanagement-token>\"\n",[179,889,890,908],{"__ignoreMap":194},[198,891,892,894,897,899,902,904,906],{"class":200,"line":201},[198,893,694],{"class":211},[198,895,896],{"class":215}," https://id.example.com/api/admin/agents/",[198,898,843],{"class":327},[198,900,901],{"class":215},"agent-i",[198,903,849],{"class":700},[198,905,852],{"class":327},[198,907,701],{"class":700},[198,909,910,912,914,916],{"class":200,"line":208},[198,911,706],{"class":215},[198,913,709],{"class":327},[198,915,712],{"class":215},[198,917,715],{"class":327},[165,919,920,921,924],{},"Update the agent's ",[179,922,923],{},"approver"," field if needed.",[160,926,928],{"id":927},"cmd_hash-mismatch-escapes","\"cmd_hash mismatch\" (escapes)",[165,930,931,408,933,935],{},[168,932,170],{},[179,934,65],{}," exits with code 5 and logs \"cmd_hash mismatch.\"",[165,937,938,940],{},[168,939,176],{}," The command in the grant request doesn't match the command being executed.",[165,942,943,945],{},[168,944,187],{}," The command array must match exactly:",[189,947,949],{"className":191,"code":948,"language":193,"meta":194,"style":194},"# Grant was requested for:\n#   command: [\"systemctl\", \"restart\", \"nginx\"]\n\n# ❌ This won't match (different arguments)\nescapes --grant \"$JWT\" -- systemctl stop nginx\n\n# ✅ This matches\nescapes --grant \"$JWT\" -- systemctl restart nginx\n",[179,950,951,956,961,965,970,997,1001,1006],{"__ignoreMap":194},[198,952,953],{"class":200,"line":201},[198,954,955],{"class":204},"# Grant was requested for:\n",[198,957,958],{"class":200,"line":208},[198,959,960],{"class":204},"#   command: [\"systemctl\", \"restart\", \"nginx\"]\n",[198,962,963],{"class":200,"line":225},[198,964,229],{"emptyLinePlaceholder":228},[198,966,967],{"class":200,"line":232},[198,968,969],{"class":204},"# ❌ This won't match (different arguments)\n",[198,971,972,974,977,979,982,985,988,991,994],{"class":200,"line":238},[198,973,65],{"class":211},[198,975,976],{"class":215}," --grant",[198,978,709],{"class":327},[198,980,981],{"class":700},"$JWT",[198,983,984],{"class":327},"\"",[198,986,987],{"class":215}," --",[198,989,990],{"class":215}," systemctl",[198,992,993],{"class":215}," stop",[198,995,996],{"class":215}," nginx\n",[198,998,999],{"class":200,"line":368},[198,1000,229],{"emptyLinePlaceholder":228},[198,1002,1003],{"class":200,"line":475},[198,1004,1005],{"class":204},"# ✅ This matches\n",[198,1007,1009,1011,1013,1015,1017,1019,1021,1023,1026],{"class":200,"line":1008},8,[198,1010,65],{"class":211},[198,1012,976],{"class":215},[198,1014,709],{"class":327},[198,1016,981],{"class":700},[198,1018,984],{"class":327},[198,1020,987],{"class":215},[198,1022,990],{"class":215},[198,1024,1025],{"class":215}," restart",[198,1027,996],{"class":215},[277,1029],{},[155,1031,65],{"id":65},[160,1033,1035],{"id":1034},"jwt-verification-failed-exit-code-5","\"JWT verification failed\" (exit code 5)",[165,1037,1038,408,1040,1042],{},[168,1039,170],{},[179,1041,65],{}," refuses to execute and exits with code 5.",[165,1044,1045],{},[168,1046,1047],{},"Possible causes and fixes:",[1049,1050,1051,1067],"table",{},[1052,1053,1054],"thead",{},[1055,1056,1057,1061,1064],"tr",{},[1058,1059,1060],"th",{},"Error in audit log",[1058,1062,1063],{},"Cause",[1058,1065,1066],{},"Fix",[1068,1069,1070,1089,1111,1129,1147,1158],"tbody",{},[1055,1071,1072,1076,1079],{},[1073,1074,1075],"td",{},"\"issuer not in allowed_issuers\"",[1073,1077,1078],{},"JWT issuer URL doesn't match config",[1073,1080,1081,1082,1085,1086],{},"Add the IdP URL to ",[179,1083,1084],{},"allowed_issuers"," in ",[179,1087,1088],{},"/etc/openape/config.toml",[1055,1090,1091,1094,1101],{},[1073,1092,1093],{},"\"audience mismatch\"",[1073,1095,1096,1097,1100],{},"JWT ",[179,1098,1099],{},"aud"," claim ≠ configured audience",[1073,1102,1103,1104,1107,1108,262],{},"Check ",[179,1105,1106],{},"allowed_audiences"," in config (default: ",[179,1109,1110],{},"[\"escapes\"]",[1055,1112,1113,1116,1122],{},[1073,1114,1115],{},"\"target_host mismatch\"",[1073,1117,1096,1118,1121],{},[179,1119,1120],{},"target_host"," ≠ system hostname",[1073,1123,1124,1125,1128],{},"Set ",[179,1126,1127],{},"host"," in config to match, or fix the grant request",[1055,1130,1131,1134,1140],{},[1073,1132,1133],{},"\"approver not allowed\"",[1073,1135,1096,1136,1139],{},[179,1137,1138],{},"decided_by"," not in allowed list",[1073,1141,1142,1143,1146],{},"Add the approver to ",[179,1144,1145],{},"allowed_approvers"," in config",[1055,1148,1149,1152,1155],{},[1073,1150,1151],{},"\"cmd_hash mismatch\"",[1073,1153,1154],{},"Command doesn't match grant",[1073,1156,1157],{},"Re-request grant with the exact command",[1055,1159,1160,1163,1169],{},[1073,1161,1162],{},"\"grant already consumed\"",[1073,1164,1165,1168],{},[179,1166,1167],{},"once"," grant was already used",[1073,1170,1171],{},"Request a new grant",[277,1173],{},[155,1175,1177],{"id":1176},"proxy","Proxy",[160,1179,1181],{"id":1180},"all-requests-blocked","\"All requests blocked\"",[165,1183,1184,1186],{},[168,1185,170],{}," The proxy blocks every request.",[165,1188,1189,408,1191,1194,1195,1198,1199,1202],{},[168,1190,176],{},[179,1192,1193],{},"default_action"," is set to ",[179,1196,1197],{},"block"," and no ",[179,1200,1201],{},"allow"," rules match.",[165,1204,1205,1207],{},[168,1206,187],{}," Add allow rules for expected traffic:",[189,1209,1213],{"className":1210,"code":1211,"language":1212,"meta":194,"style":194},"language-toml shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","default_action = \"block\"\n\n[[allow]]\ndomain = \"api.github.com\"\nmethods = [\"GET\"]\n","toml",[179,1214,1215,1220,1224,1229,1234],{"__ignoreMap":194},[198,1216,1217],{"class":200,"line":201},[198,1218,1219],{},"default_action = \"block\"\n",[198,1221,1222],{"class":200,"line":208},[198,1223,229],{"emptyLinePlaceholder":228},[198,1225,1226],{"class":200,"line":225},[198,1227,1228],{},"[[allow]]\n",[198,1230,1231],{"class":200,"line":232},[198,1232,1233],{},"domain = \"api.github.com\"\n",[198,1235,1236],{"class":200,"line":238},[198,1237,1238],{},"methods = [\"GET\"]\n",[165,1240,1241,1242,1244,1245,1248],{},"Or change ",[179,1243,1193],{}," to ",[179,1246,1247],{},"request"," for a more permissive default.",[277,1250],{},[155,1252,1254],{"id":1253},"session-issues","Session Issues",[160,1256,1258],{"id":1257},"session-not-persisting","\"Session not persisting\"",[165,1260,1261,1263],{},[168,1262,170],{}," User is logged in but loses the session on next request.",[165,1265,1266,408,1268,1270],{},[168,1267,176],{},[179,1269,555],{}," not set or changes between deployments.",[165,1272,1273],{},[168,1274,187],{},[545,1276,1277,1283,1286],{},[249,1278,1279,1280,1282],{},"Set a stable ",[179,1281,555],{}," environment variable",[249,1284,1285],{},"Ensure the secret is the same across all instances (if load-balanced)",[249,1287,1288,1289,1292],{},"Check cookie settings: domain must match, and ",[179,1290,1291],{},"Secure"," flag requires HTTPS",[160,1294,1296],{"id":1295},"session-expired-unexpectedly","\"Session expired unexpectedly\"",[165,1298,1299,1301,1302,633],{},[168,1300,170],{}," User is logged out before ",[179,1303,1304],{},"sessionMaxAge",[165,1306,1307,1309],{},[168,1308,176],{}," Server restart (in-memory sessions) or cookie domain mismatch.",[165,1311,1312],{},[168,1313,187],{},[545,1315,1316,1319],{},[249,1317,1318],{},"Configure persistent storage for sessions",[249,1320,1321],{},"Verify cookie domain matches the app's domain",[1323,1324,1325],"style",{},"html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .sTEyZ, html code.shiki .sTEyZ{--shiki-light:#90A4AE;--shiki-default:#EEFFFF;--shiki-dark:#BABED8}",{"title":194,"searchDepth":225,"depth":208,"links":1327},[1328,1331,1336,1341,1346,1351,1354,1357],{"id":157,"depth":208,"text":158,"children":1329},[1330],{"id":162,"depth":225,"text":163},{"id":281,"depth":208,"text":282,"children":1332},[1333,1334,1335],{"id":285,"depth":225,"text":286},{"id":389,"depth":225,"text":390},{"id":492,"depth":225,"text":493},{"id":516,"depth":208,"text":517,"children":1337},[1338,1339,1340],{"id":520,"depth":225,"text":521},{"id":562,"depth":225,"text":563},{"id":636,"depth":225,"text":637},{"id":657,"depth":208,"text":658,"children":1342},[1343,1344,1345],{"id":661,"depth":225,"text":662},{"id":724,"depth":225,"text":725},{"id":785,"depth":225,"text":786},{"id":808,"depth":208,"text":809,"children":1347},[1348,1349,1350],{"id":812,"depth":225,"text":813},{"id":868,"depth":225,"text":869},{"id":927,"depth":225,"text":928},{"id":65,"depth":208,"text":65,"children":1352},[1353],{"id":1034,"depth":225,"text":1035},{"id":1176,"depth":208,"text":1177,"children":1355},[1356],{"id":1180,"depth":225,"text":1181},{"id":1253,"depth":208,"text":1254,"children":1358},[1359,1360],{"id":1257,"depth":225,"text":1258},{"id":1295,"depth":225,"text":1296},"Common errors and their solutions.","md",null,{},{"title":138,"description":1361},"TiV6jPPVbwBkA-6NM3_b3Jz8jNWC1HN21nmYPRfuwUI",[1368,1370],{"title":134,"path":135,"stem":136,"description":1369,"children":-1},"Deploy OpenApe IdP and SP to production.",{"title":142,"path":143,"stem":144,"description":1371,"children":-1},"Audit logs, log formats, and alerting recommendations.",1774221117377]