-
Notifications
You must be signed in to change notification settings - Fork 273
Closed
Description
Describe the bug
WebContainer API key (Personal plan, 25k sessions/month) does not work — both configureAPIKey() and auth.init() fail. The headless endpoint returns 404 and the OAuth token endpoint returns 401 "invalid_client", despite the key being enabled and the domain whitelisted in the API Console. API Console shows 0 sessions recorded.
Link to the blitz that caused the error
https://purple-bay-0c1aa211e.4.azurestaticapps.net
Steps to reproduce
- Create API key in API Console (Keys & Domains), enable it
- Add production domain to Allowed Sites
- In frontend code:
configureAPIKey('wc_api_***')thenWebContainer.boot({ coep: 'credentialless' }) - Deploy to HTTPS host with headers
Cross-Origin-Embedder-Policy: credentiallessandCross-Origin-Opener-Policy: same-origin - Browser console shows
crossOriginIsolated: trueandSharedArrayBuffer: available - Iframe request to
stackblitz.com/headless?client_id=wc_api_***&coep=credentialless&version=1.6.1returns 404 - Also tried
auth.init({ clientId, scope: '' })— /oauth/authorize works (shows permission dialog), but POST /oauth/token returns 401 witherror="invalid_client" - API Console Usage shows 0 sessions
- Directly visiting the headless URL in browser also returns 404
- localhost works fine without API key (as expected)
Expected behavior
The headless endpoint should return 200 and serve the WebContainer runtime when a valid client_id is provided from a whitelisted domain. The OAuth token exchange (POST /oauth/token) should succeed after user authorization. API Console Usage should record sessions.
Parity with Local
- I have run the project in my local machine and I could not reproduce the issue.
Screenshots
Platform
- OS: Windows 10
- Browser: Chrome
- Version: 144
Additional context
No response
Reactions are currently unavailable