Skip to content
Latchkey

web-ext sign WebExtError 401 / bad API credentials in CI

web-ext sign authenticates to the AMO API with a JWT built from your API key (issuer) and secret. A 401 means those credentials are missing, wrong, or not passed into the CI step.

What this error means

web-ext sign fails with a WebExtError and an HTTP 401 from the addons API, mentioning the request could not be authenticated.

web-ext
WebExtError: Could not approve/sign add-on; received HTTP 401 from
https://addons.mozilla.org/api/v5/addons/...
Authentication credentials were not provided or are invalid.

Common causes

API key or secret missing from the CI step

The --api-key/--api-secret (or WEB_EXT_API_KEY/WEB_EXT_API_SECRET) were not injected from secrets, so an unauthenticated request returns 401.

The credentials are wrong or revoked

A rotated or mistyped issuer/secret pair fails JWT verification at the AMO API.

How to fix it

Inject the AMO credentials from secrets

  1. Generate an API key and secret in the AMO Developer Hub.
  2. Store both as CI secrets, never in the repo.
  3. Pass them to web-ext as flags or environment variables.
.github/workflows/ci.yml
env:
  WEB_EXT_API_KEY: ${{ secrets.AMO_JWT_ISSUER }}
  WEB_EXT_API_SECRET: ${{ secrets.AMO_JWT_SECRET }}

Verify the key pair is current

Regenerate the API credentials if they were revoked, and update the stored secrets in one place.

Terminal
web-ext sign --api-key "$WEB_EXT_API_KEY" --api-secret "$WEB_EXT_API_SECRET"

How to prevent it

  • Keep AMO JWT issuer and secret in CI secrets.
  • Rotate credentials on a schedule and update the secret store.
  • Fail fast with a credential check before uploading large artifacts.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →