JWT Plugin Returning HTTP 500s

[spirrello]

Is there an existing issue for this?

• I have searched the existing issues

Kong version ($ kong version)

3.11.0.3 and 3.13.0.0

Current Behavior

When we send an invalid JWT in the authorization header, we get the following error along with an HTTP 500.

{
  "message":"An unexpected error occurred",
  "request_id":"asdfasdfasdf"
}

Expected Behavior

We should instead receive an HTTP 401.

Steps To Reproduce

Send an HTTP get request with an invalid JWT in the authorization header.

Anything else?

I see this previous issue but it doesn't seem to be resolved.

#1329

Example error log:

2026/02/04 20:47:01 [error] 2671#0: *9018354 [kong] init.lua:443 [jwt] ./jwt/handler.lua:353: attempt to index local 'hdr' (a nil value), client: x.x.x.x, server: kong, request: "GET /api/v1/omg HTTP/1.1", host: "blah.cool.io", request_id: "asdfadsfdsf"

JWT plugin configuration:

enabled: true
tags:
  - super-cool
protocols:
  - grpc
  - grpcs
  - http
  - https
name: jwt
service:
  id: -asdfasdfadsf
config:
  uri_param_names:
    - jwt
  maximum_expiration: 0
  claims_to_verify:
    - exp
  anonymous: null
  secret_is_base64: false
  realm: null
  key_claim_name: sub
  header_names:
    - authorization
  run_on_preflight: true
  cookie_names: []

[rhighs]

What specifically did you alter? Did you edit the text manually, change the encoding, or truncate the signature?

[spirrello]

@rhighs We're just sending a get request with a random string for the authorization header, example:

Authorization: Bearer asfasdfasdfasd

[catbro666]

@spirrello Thank you for reporting. This is indeed a bug. BTW, this is an EE-specific bug. The CE version doesn't have this issue.

[jbeaken]

Hi, we are seeing this as well and is preventing a migration from 3.4 -> 3.13, any updates appreciated thanks