Skip to content

[node-sdk] CreateAssistant returns "unauthenticated request for invoke" with valid PAT, while GetAllAssistant works #120

Open
Bug
Open
[node-sdk] CreateAssistant returns "unauthenticated request for invoke" with valid PAT, while GetAllAssistant works#120
Bug
Assignees
iamprashant
Labels
bugSomething isn't working
@oguzhan51511

Description

@oguzhan51511
oguzhan51511
opened on May 26, 2026

Environment

  • Self-hosted Rapida (current main, deployed via the published docker-compose)
  • @rapidaai/nodejs@1.0.22 (Node 22 LTS, @grpc/grpc-js transport)
  • Calling the API from a Node.js backend running in the same Docker network — internal hostnames rapida__assistant-api:9007, rapida__web-api:9001, rapida__endpoint-api:9005 (these are the default service names from the published compose), insecure gRPC (no TLS)
  • Personal Access Token obtained from /integration/personal-credential

Symptom

CreateAssistant returns:

code=2 INTERNAL: unauthenticated request for invoke

even though the same PAT successfully drives every other RPC we use.

What works ✅

Inside the same container, same SDK, same PAT triple:

// 1. project-scope read with the Developer Key OR PAT
await GetAllAssistant(config, req, ConnectionConfig.WithSDK({ ApiKey: '<dev-key>' }));

// 2. admin-scope read with PAT
await GetAllAssistantWebhook(config, req, ConnectionConfig.WithPersonalToken({
  Authorization, AuthId, ProjectId,
}));

What fails ❌

const auth = ConnectionConfig.WithDebugger({
  authorization: '<PAT>', userId: '<auth-id>', projectId: '<project-id>',
});
const req = new CreateAssistantRequest();
req.setName('probe-' + Date.now());
req.setSource('aiva');
req.setSourceidentifier('<master-assistant-id>');
req.setVisibility('private');
const providerReq = new CreateAssistantProviderRequest();
const model = new CreateAssistantProviderRequest.CreateAssistantProviderModel();
model.setModelprovidername('openai');
providerReq.setModel(model);
req.setAssistantprovider(providerReq);

await CreateAssistant(config, req, auth);
// → code=2 INTERNAL: unauthenticated request for invoke

Also fails when we replay the full assistantprovidermodel snapshot from GetAllAssistant (template + assistantmodeloptionsList).

Network capture from the Rapida UI

The UI's own CreateAssistant call (Edge DevTools) sends:

POST /assistant_api.AssistantService/CreateAssistant
authorization: <PAT>
x-auth-id: <auth-id>
x-project-id: <project-id>
x-client-source: debugger
content-type: application/grpc-web+proto

No cookies, no other auth headers. The SDK's WithDebugger produces an equivalent metadata set when targeted at rapida__assistant-api:9007 (verified by reading index.js).

Questions

  1. What does the server-side "for invoke" auth check require, beyond the PAT triple + x-client-source: debugger?
  2. Is CreateAssistant dispatched through the Invoke RPC server-side? If so, which auth scope does Invoke require?
  3. Does the unauthenticated request for invoke message map to a specific Go-side handler we can inspect for the exact field it's reading?

What we've tried

  • WithSDK (Developer Key), WithPersonalToken, WithDebugger — none pass CreateAssistant from our service context
  • Splitting ConnectionConfig per-service so assistantClient resolves to rapida__assistant-api:9007 (verified at runtime)
  • Replaying full provider-model snapshot

Happy to share more reproduction code / packet captures if useful. Thanks for any pointer

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

Bug

Fields

No fields configured for Bug.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions