Issue Station
Sign In
Tools hereToolbox

openclaw - 💡(How to fix) Fix Google Chat (G Suite Add-on) returns 401 Unauthorized — JWT verification failure [2 comments, 3 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#58541Fetched 2026-04-08 02:01:19
View on GitHub
Comments
2
Participants
3
Timeline
2
Reactions
2
Author
Teapot-AgencyTeapot-Agency
Participants
Joypotech-jotakuJoypotech-jotakussabdallahssabdallahTeapot-AgencyTeapot-Agency
Timeline (top)
commented ×2

Error Message

Google Cloud Error Logs

"error": { Error type: g_suite_add_ons — confirms G Suite Add-on flow.

Root Cause

Based on OpenClaw source code examination (channel.runtime-CIV338ic.js):

  • When audienceType === "app-url", the code validates both JWT signature AND compares appPrincipal against the JWT's sub claim
  • The expectedAddOnPrincipal is set to the configured appPrincipal
  • This check is bypassed when audienceType === "project-number" (only signature validation)

The G Suite Add-on JWT flow sends tokens from [email protected] with an audience claim that may not match the configured URL.

Code Example

{
  "enabled": true,
  "groupPolicy": "open",
  "serviceAccountFile": "/Users/patrik/Documents/open-claw-2df0242c89b2.json",
  "audienceType": "app-url",
  "audience": "https://patriks-mac-mini.tail284d5a.ts.net/googlechat",
  "webhookPath": "/googlechat",
  "streamMode": "replace",
  "appPrincipal": "[email protected]"
}

---

"error": {
  "code": 3,
  "message": "status code: 401, reason phrase: HTTP/1.1 401 Unauthorized\nResponse body: unauthorized"
}
"deployment": "projects/chat/keys/322327198268"
"deploymentFunction": "https://patriks-mac-mini.tail284d5a.ts.net/googlechat"
RAW_BUFFERClick to expand / collapse

Bug Report: Google Chat (G Suite Add-on) JWT Verification Failure

Environment

Problem Summary

Google Chat app configured as G Suite Add-on (not standard webhook) returns HTTP 401 Unauthorized for all incoming messages. The request reaches the gateway (verified by curl), but JWT verification fails.

Configuration (openclaw.json channels.googlechat)

{
  "enabled": true,
  "groupPolicy": "open",
  "serviceAccountFile": "/Users/patrik/Documents/open-claw-2df0242c89b2.json",
  "audienceType": "app-url",
  "audience": "https://patriks-mac-mini.tail284d5a.ts.net/googlechat",
  "webhookPath": "/googlechat",
  "streamMode": "replace",
  "appPrincipal": "[email protected]"
}

Google Cloud Setup

Observed Behavior

Gateway Access

  • curl https://patriks-mac-mini.tail284d5a.ts.net/googlechat → 405 Method Not Allowed (route exists ✓)
  • curl -X POST https://patriks-mac-mini.tail284d5a.ts.net/googlechat with no auth → invalid payload
  • curl -X POST ... with fake Bearer token → unauthorized

Google Cloud Error Logs

"error": {
  "code": 3,
  "message": "status code: 401, reason phrase: HTTP/1.1 401 Unauthorized\nResponse body: unauthorized"
}
"deployment": "projects/chat/keys/322327198268"
"deploymentFunction": "https://patriks-mac-mini.tail284d5a.ts.net/googlechat"

Error type: g_suite_add_ons — confirms G Suite Add-on flow.

What Was Tried

AttemptaudienceTypeaudienceResult
1app-urlhttps://patriks-mac-mini.tail284d5a.ts.net/googlechat401
2app-urlhttps://patriks-mac-mini.tail284d5a.ts.net401
3app-urlhttps://chat.googleapis.com/401
4project-number322327198268401
5app-urlhttps://chat.googleapis.com/projects/ga4-mcp-connector401
6app-url (current)https://patriks-mac-mini.tail284d5a.ts.net/googlechat401
After adding appPrincipalapp-urlhttps://patriks-mac-mini.tail284d5a.ts.net/googlechat401

Analysis

Based on OpenClaw source code examination (channel.runtime-CIV338ic.js):

  • When audienceType === "app-url", the code validates both JWT signature AND compares appPrincipal against the JWT's sub claim
  • The expectedAddOnPrincipal is set to the configured appPrincipal
  • This check is bypassed when audienceType === "project-number" (only signature validation)

The G Suite Add-on JWT flow sends tokens from [email protected] with an audience claim that may not match the configured URL.

Relevant OpenClaw Issues Referenced

  • Issue #53888 — G Suite Add-ons JWT audience mismatch
  • Issue #35095 — 401 even when audience matches
  • Issue #26332 — Add-on token verification broken
  • Issue #22699 — Duplicate webhook targets on restart
  • Issue #51901 — ESM/CJS route registry fix (already fixed)

Questions

  1. Is there a way to enable debug logging for JWT verification in OpenClaw?
  2. Does OpenClaw's G Suite Add-on flow support the appPrincipal verification correctly?
  3. Is there a known limitation with G Suite Add-on vs. standard webhook authentication?

Expected Behavior

Google Chat messages should be received and processed without 401 errors when properly configured.

Severity

P1 — Google Chat completely non-functional for G Suite Add-on deployments

extent analysis

TL;DR

The most likely fix is to adjust the audienceType and audience configuration in openclaw.json to correctly match the G Suite Add-on JWT audience claim.

Guidance

  1. Verify JWT audience claim: Check the JWT token sent by the G Suite Add-on to determine the exact audience claim value, which may not match the configured audience URL.
  2. Adjust audience configuration: Update the audienceType to "project-number" and set audience to the project number 322327198268, as this bypasses the appPrincipal check and only validates the JWT signature.
  3. Enable debug logging: Investigate enabling debug logging for JWT verification in OpenClaw to gain more insight into the verification process and potential issues.
  4. Review OpenClaw issues: Examine the referenced OpenClaw issues (e.g., #53888, #35095) to see if they provide additional guidance or workarounds for the G Suite Add-on JWT audience mismatch.

Example

No code snippet is provided, as the issue is related to configuration and JWT verification.

Notes

The G Suite Add-on flow may have specific requirements or limitations for JWT verification, which are not fully understood from the provided information. Further investigation and debugging may be necessary to resolve the issue.

Recommendation

Apply a workaround by adjusting the audienceType and audience configuration, as this may allow the G Suite Add-on to function correctly until a more permanent fix is available.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#latency issue#model loading#dependency error#configuration error

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING