bug: Self-hosted Admin Console Security page returns 401 on /api/sign-in-exp and /api/captcha-provider

[joshuatza]

Description

On a self-hosted Logto instance, the Security page in the Admin Console fails to load with persistent 401 Unauthorized errors. This occurs on fresh installs across multiple Logto versions.

Environment

• Logto Version: 1.35.0 (also tested on 1.20.0 and 1.34.0 - same issue)
• Deployment: Docker (official ghcr.io/logto-io/logto:latest image)
• Database: PostgreSQL 16
• Proxy: Cloudflare Tunnel with TRUST_PROXY_HEADER=1

Configuration

environment:
  - TRUST_PROXY_HEADER=1
  - DB_URL=postgresql://logto:***@logto-db:5432/logto
  - ENDPOINT=https://auth.example.com
  - ADMIN_ENDPOINT=https://admin.example.com

Steps to Reproduce

1. Deploy fresh self-hosted Logto instance
2. Complete initial admin account setup
3. Navigate to Admin Console → Security page
4. Observe 401 errors in browser console

Expected Behavior

Security page should load and allow configuration of password policy, CAPTCHA, blocklist settings.

Actual Behavior

Multiple API endpoints return 401 Unauthorized:

GET https://auth.example.com/api/sign-in-exp 401 (Unauthorized)
GET https://auth.example.com/api/captcha-provider 401 (Unauthorized)

The error response includes an unusual details field:

{
  "code": "auth.unauthorized",
  "data": {},
  "details": "Unexpected token '<', \"<!DOCTYPE \"... is not valid JSON",
  "message": "Unauthorized. Please check credentials and its scope."
}

Additional Context

• The /me endpoint works correctly (returns 200)
• The /api/.well-known/sign-in-exp public endpoint works correctly
• Other Admin Console pages (Applications, Connectors, Users) work fine
• Issue persists after:
  • Fresh database seed
  • Clearing all OIDC sessions
  • Multiple Logto versions
  • Using official Docker image vs custom builds

Logs

OPTIONS /api/sign-in-exp 204 3ms
GET /api/sign-in-exp 401 1,071ms 174b
OPTIONS /api/captcha-provider 204 2ms
GET /api/captcha-provider 401 578ms 174b

The strange details field with "Unexpected token '<'" suggests something is trying to parse an HTML response as JSON internally, but this occurs even when CAPTCHA is not configured.

[joshuatza]

Update: Confirmed on multiple completely fresh installs

This issue persists even after:

1. Complete database wipe (docker volume rm)
2. Fresh npm run cli db seed -- --swe
3. Creating a brand new admin account
4. Using official ghcr.io/logto-io/logto:latest image

The admin console is completely non-functional on self-hosted instances. ALL management API endpoints return 401:

• /api/applications - 401
• /api/connectors - 401
• /api/connector-factories - 401
• /api/sign-in-exp - 401
• /api/captcha-provider - 401

Only the public .well-known endpoints work.

This means no configuration is possible via the admin console on self-hosted Logto. This is a critical bug that would cause serious issues in production environments.

Severity: Critical - Self-hosted admin console is completely broken.

[xiaoyijun]

Hi @joshuatza , thanks for the detailed report.

The error message (Unexpected token '<') indicates that a response expected to be JSON is being returned as HTML (for example, from a proxy, tunnel, or access layer). This typically suggests an issue introduced by the deployment or proxy configuration rather than a Logto regression.

It would be helpful to first rule out any Cloudflare-related factors (for example, by trying a setup without it or with a more direct connection) and check whether the behavior still occurs.