Troubleshooting
This guide covers common issues with Rack Gateway and how to diagnose and resolve them.
Quick Diagnostics
Section titled “Quick Diagnostics”# Check gateway healthcurl https://gateway.example.com/api/v1/health
# View recent logs (Convox)convox logs -a rack-gateway --since 10mAuthentication Issues
Section titled “Authentication Issues””Login Failed” After OAuth
Section titled “”Login Failed” After OAuth”Possible causes:
GOOGLE_ALLOWED_DOMAINdoesn’t match the user’s email domain- Redirect URI mismatch in Google Cloud Console
DOMAINmisconfigured (affects OAuth redirects)
Checks:
- Confirm redirect URIs include:
https://<DOMAIN>/api/v1/auth/web/callbackhttps://<DOMAIN>/api/v1/auth/cli/callback
- Verify
GOOGLE_ALLOWED_DOMAINmatches your workspace domain.
”Session Expired” Immediately
Section titled “”Session Expired” Immediately”Possible causes:
APP_SECRET_KEYchanged between restarts- Session timeout set too low
Checks:
- Ensure
APP_SECRET_KEYis stable and stored in Convox env. - Adjust timeout with
RGW_SETTING_SESSION_TIMEOUT_MINUTESif needed.
CLI Login Hangs
Section titled “CLI Login Hangs”The CLI does not run a local callback server. It opens the browser and polls the gateway.
-
Check gateway reachability
Terminal window curl https://gateway.example.com/api/v1/health -
Use
--no-opento capture the auth URLTerminal window rack-gateway login production https://gateway.example.com --no-open -
Complete the browser flow
Ensure the browser can reach the gateway and Google OAuth endpoints.
Authorization Issues
Section titled “Authorization Issues””Forbidden” for Expected Users
Section titled “”Forbidden” for Expected Users”Possible causes:
- User role not updated in the gateway
- Permission requires MFA step-up
Checks:
- Verify roles in the web UI (Users page).
- If MFA is required, rerun the command and supply
--mfa-codewhen prompted.
API Token Rejected
Section titled “API Token Rejected”Possible causes:
- Token revoked or expired
- Token not passed correctly
Checks:
- Token must start with
rgw_. - Use
RACK_GATEWAY_API_TOKENor--api-token. - Confirm token exists in the web UI (API Tokens).
Convox Proxy Issues
Section titled “Convox Proxy Issues””Bad Gateway” Errors
Section titled “”Bad Gateway” Errors”Possible causes:
- Convox API unreachable
RACK_TOKENinvalid or missingRACK_HOSTmisconfigured
Checks:
- Verify
RACK_TOKENis correct and set. - If running outside the rack network, set
RACK_HOSTto the Convox API URL. - Check gateway logs for upstream errors.
MFA Issues
Section titled “MFA Issues””Invalid TOTP Code”
Section titled “”Invalid TOTP Code””- Ensure device clock is in sync
- Try the next code window (30 seconds)
“WebAuthn Not Available”
Section titled ““WebAuthn Not Available””- Ensure the CLI build has WebAuthn support (CGO + libfido2)
- Fall back to TOTP when needed
Lost MFA Device
Section titled “Lost MFA Device”- Use backup codes if available
- Ask an admin to remove MFA methods in the web UI
Database Issues
Section titled “Database Issues”If the gateway fails to start or reports DB errors:
- Verify
DATABASE_URL/RGW_DATABASE_URLis set - Run migrations:
convox run admin -- ./rack-gateway-api migrate -a rack-gateway