API key not working, headless returns 404 & OAuth token returns 401 "invalid_client"

[jeremynwa]

Describe the bug

WebContainer API key (Personal plan, 25k sessions/month) does not work — both configureAPIKey() and auth.init() fail. The headless endpoint returns 404 and the OAuth token endpoint returns 401 "invalid_client", despite the key being enabled and the domain whitelisted in the API Console. API Console shows 0 sessions recorded.

Link to the blitz that caused the error

https://purple-bay-0c1aa211e.4.azurestaticapps.net

Steps to reproduce

1. Create API key in API Console (Keys & Domains), enable it
2. Add production domain to Allowed Sites
3. In frontend code: configureAPIKey('wc_api_***') then WebContainer.boot({ coep: 'credentialless' })
4. Deploy to HTTPS host with headers Cross-Origin-Embedder-Policy: credentialless and Cross-Origin-Opener-Policy: same-origin
5. Browser console shows crossOriginIsolated: true and SharedArrayBuffer: available
6. Iframe request to stackblitz.com/headless?client_id=wc_api_***&coep=credentialless&version=1.6.1 returns 404
7. Also tried auth.init({ clientId, scope: '' }) — /oauth/authorize works (shows permission dialog), but POST /oauth/token returns 401 with error="invalid_client"
8. API Console Usage shows 0 sessions
9. Directly visiting the headless URL in browser also returns 404
10. localhost works fine without API key (as expected)

Expected behavior

The headless endpoint should return 200 and serve the WebContainer runtime when a valid client_id is provided from a whitelisted domain. The OAuth token exchange (POST /oauth/token) should succeed after user authorization. API Console Usage should record sessions.

Parity with Local

• I have run the project in my local machine and I could not reproduce the issue.

Screenshots

Platform

• OS: Windows 10
• Browser: Chrome
• Version: 144

Additional context

No response

[github-actions]

We noticed that you did not provide a StackBlitz or Bolt reproduction link. Please update the issue and add a link to a public project.

[jeremynwa]

This issue only reproduces on non-localhost production deployments. The bug is that the /headless endpoint returns 404 when accessed from a whitelisted domain with a valid client_id. It works fine on localhost without an API key. Live site: https://purple-bay-0c1aa211e.4.azurestaticapps.net

[SamVerschueren]

Can you show the Allowed sites configuration from https://stackblitz.com/api-console? Wondering if something is misconfigured. I just tested this and it seems to work fine.

[jeremynwa]

Hello here it is

[SamVerschueren]

The problem is that it's behind a login so I can't check what happens. Is it possible to provide me with login details? You can email me at samv@stackblitz.com.

[jeremynwa]

I just sent you an email.

[SamVerschueren]

The reason it returns as a 404 is because you are preventing the referrer from being sent with Referrer-Policy: same-origin. This means we can't check for your API key matching the allowed websites. You need to remove that header response or set it to origin or something. That will fix the issue.

[jeremynwa]

Thank you very much ! Have a nice day