Receiving "invalid signature" Error While Authenticating with Fireblocks Sandbox API

Developer Discussion
1

Hi everyone,

I’m currently working on integrating with the Fireblocks Sandbox API, and I’m running into an issue during the authentication process. When I attempt to make a request, I consistently receive the following error response:

json

{
“code”: -1,
“message”: “invalid signature”
}

Here’s what I’ve done so far:

I’ve followed the authentication steps outlined in the Fireblocks documentation.
I’m generating the JWT token using my private key, including the correct headers and payload.
The Authorization header is set with the generated JWT.
The request is being sent to the correct Sandbox API endpoint.

Despite all of this, the request fails with the “invalid signature” error.

What I’ve double-checked:

The private key matches the one uploaded to the Fireblocks Console.
The JWT iat and exp claims are correctly set and within a valid time window.
The API key is correct and matches the one from the Fireblocks Sandbox environment.
The JWT is being signed using the RS256 algorithm as required.

If anyone has experienced a similar issue or has any suggestions on what else I might be missing, I’d greatly appreciate your input. I’m happy to provide code snippets or additional request details if needed.

Thanks in advance!

2

Hi Mit,

Thank you for sharing.
This error indicates that the private key you are using is not the private key associated with that API user.
Please make sure that the CSR file and private key generated according to link
are used when signing that JWT.

For Example:

I generated two CSR and Privatekeys: CSR1 ,CSR2, PRIVATEKEY1 and PRIVATEKEY2
and created an API user with CSR1.
and when signing the JWT I am using PRIVATEKEY2.
I will receive this error.
{ "message": "invalid signature", "code": -1}
Essentially you have no way of knowing which CSR file is used by which API user from the console.
I would recommend creating a new API user and generating a new CSR file for that API user and making sure that the correct private key is used when creating that JWT.