.beans/nuzlocke-tracker-snft--support-es256-ecc-p-256-jwt-keys-in-backend-auth.md

---
# nuzlocke-tracker-snft
title: Support ES256 (ECC P-256) JWT keys in backend auth
status: completed
type: bug
priority: normal
created_at: 2026-03-22T10:51:30Z
updated_at: 2026-03-22T10:59:46Z
---

Backend JWKS verification only accepts RS256 algorithm, but Supabase JWT key was switched to ECC P-256 (ES256). This causes 401 errors on all authenticated requests. Fix: accept both RS256 and ES256 in the algorithms list, and update tests accordingly.

## Summary of Changes\n\nAdded ES256 to the accepted JWT algorithms in `_verify_jwt()` so ECC P-256 keys from Supabase are verified correctly alongside RSA keys. Added corresponding test with EC key fixtures.

Deployed to production via PR #86 merge on 2026-03-22.
fix: accept ES256 (ECC P-256) JWT keys alongside RS256 in backend auth Supabase JWT key was switched to ECC P-256, but the JWKS verification only accepted RS256. Add ES256 to the accepted algorithms list. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-22 11:52:42 +01:00			`---`
			`# nuzlocke-tracker-snft`
			`title: Support ES256 (ECC P-256) JWT keys in backend auth`
chore: mark ES256 JWT support bean as completed Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-22 11:53:13 +01:00			`status: completed`
fix: accept ES256 (ECC P-256) JWT keys alongside RS256 in backend auth Supabase JWT key was switched to ECC P-256, but the JWKS verification only accepted RS256. Add ES256 to the accepted algorithms list. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-22 11:52:42 +01:00			`type: bug`
chore: mark ES256 JWT support bean as completed Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-22 11:53:13 +01:00			`priority: normal`
fix: accept ES256 (ECC P-256) JWT keys alongside RS256 in backend auth Supabase JWT key was switched to ECC P-256, but the JWKS verification only accepted RS256. Add ES256 to the accepted algorithms list. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-22 11:52:42 +01:00			`created_at: 2026-03-22T10:51:30Z`
fix: add logging to debug auth issues 2026-03-22 12:01:28 +01:00			`updated_at: 2026-03-22T10:59:46Z`
fix: accept ES256 (ECC P-256) JWT keys alongside RS256 in backend auth Supabase JWT key was switched to ECC P-256, but the JWKS verification only accepted RS256. Add ES256 to the accepted algorithms list. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-22 11:52:42 +01:00			`---`

			`Backend JWKS verification only accepts RS256 algorithm, but Supabase JWT key was switched to ECC P-256 (ES256). This causes 401 errors on all authenticated requests. Fix: accept both RS256 and ES256 in the algorithms list, and update tests accordingly.`
chore: mark ES256 JWT support bean as completed Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-22 11:53:13 +01:00
			## Summary of Changes\n\nAdded ES256 to the accepted JWT algorithms in `_verify_jwt()` so ECC P-256 keys from Supabase are verified correctly alongside RSA keys. Added corresponding test with EC key fixtures.
fix: add logging to debug auth issues 2026-03-22 12:01:28 +01:00
			`Deployed to production via PR #86 merge on 2026-03-22.`