I can't seem to login into fauna with an existing user

In the shell i using Run under different role, selecting client and the below works

Login(Match(Index("unique_User_email"), "person@email.com"), {
  password: "password"

But this does not work

const auth = await client.query(
    q.Login(q.Match(q.Index("unique_User_email"), "person@email.com"), {
      password: "password",
import faunadb from "faunadb";
console.log("FAUNA CLIENT KEY", process.env.FAUNA_CLIENT_KEY);
export const client = new faunadb.Client({
  secret: process.env.FAUNA_CLIENT_KEY,

The response I get back is Unauthorized

So basically I tested the same role in the shell, and I could login, but when I used the API key client with that role it does not allow me to login. Even if I use a server api key it does not allow me to login. I am stuck here

The image is my client role, that my fauna client key is attached to

Is the secret that you are using in your client code associated with the database where the “unique_User_email” index exists? I have made the mistake of using the wrong secret before.

Yes I am pretty certain it is. I was able to for now create a lambda function and do this via graphQL in the playground, so If I run into this problem once I implement in graphQL which is my preferred method then it is definetely the secret. However I am certain I am in the right db, so not sure

If you use a secret for a server key, then your ABAC roles don’t apply. Do you get the “Unauthorized” error when using a server key’s secret? If so, can you run any other queries using a server key’s secret?

All good things to check. I will test that. I did use a server key to see, but I will check again.

Yeah I just don’t seem to get it. I have used my Key as the Bearer strategy, and it works in playground when I replace the headers, but in my app I get back invalid database secret. I even hard coded it to test, and revoked and created new. Not sure what is going on. Signing off for the night.

Oh My I was using the wrong endpoint. In my other app it doesn’t have the .us. part. So I just copied and pastaed


1 Like

I’m glad you found the discrepancy.

Having to use region group-specific endpoints URLs is a bit of a pain. We are working on a new routing layer that should eliminate that problem, but it won’t be available for a bit.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.