Mystery of the Companion uppy-auth-token

Howdy – we have added Uppy to our react application and it works well with Drag and Drop and the base non-companion functionality. We have tried adding the Google drive connector, and running companion in a multitude of ways as a standalone or express server in a node js script. We have configured the secret value and the requests make it to companion, but the uppy-auth-token is always unset unless we explicitly pass the header.

Nothing gets set in local storage or the cookies, and it is a complete mystery after many days of debugging this, reading through all support threads new and old, and re-reading the docs a hundred times. One engineer thinks this has uppy-auth-token value should have something to do with our own JWT token, because of the jsonwebtoken library under the hood. I don’t think so, but we both agree that some value, possibly with Bearer in front, should get encrypted using the secret, but doing so from our CRA (create react app) framework feels quite mysterious, even if we know what value we were supposed to be encrypting, the crypto library won’t be available in the user’s browser.

One time an Engineer on my time had in their local storage a value companion-GoogleDrive-auth-token which seems to correspond to a bit in the companion code companion-${this.pluginId}-auth-token – but we haven’t been able to replicate getting this value set in localstorage with any kind of consistency – in fact it seems more like an anomaly that we have ever seen that value, given on average its always missing.

Any advice at all on what headers we need to supply to work with Companion would be much appreciated, and the docs mention a secret but don’t talk at all about the uppy-auth-token or how it is used.

Hi. Are yo ugetting any error in your browser console or in companion logs? Not sure exactly where it fails, but you’re right, companion will send back an companion-${this.pluginId}-auth-token, and uppy will send this as an uppy-auth-token header. Maybe youre missing some CORS headers that allow these to be sent. Try to disable CORS and see if you can make it work first.

@mifi At what point does it get the companion-${this.pluginId}-auth-token – from what I can see there are no related console errors and nothing calls companion until I click on the google drive connector at which point two requests are made:
1.) OPTIONS http://localhost:3020/drive/list/root → gets a 204
2.) GET http://localhost:3020/drive/list/root → gets 401 Unauthorized
– Companion logs show:

companion: 2023-03-14T06:19:52.499Z [info] jobs.cleanup.start starting clean up job
Welcome to Companion!
Listening on
(node:4062) NOTE: We are formalizing our plans to enter AWS SDK for JavaScript (v2) into maintenance mode in 2023.

Please migrate your code to use AWS SDK for JavaScript (v3).
For more information, check the migration guide at
(Use `node --trace-warnings ...` to show where the warning was created)
companion: 2023-03-14T06:20:06.043Z [info] companion.client.version uppy client version @uppy/companion-client=3.1.1
companion: 2023-03-14T06:20:06.043Z [info] token.verify.unset cannot auth token

@mifi I figured it out, and it is not at all what I expected. Our application deleted our own JWTs from localstorage if the resource it fetches returns a 401 Unauthorized, but in the case of Companion when clicking on Google drive it returns a 401 Unauthorized. Once I modified this logic, i was no longer logged out and I was able to connect and get the uppy auth token and it all worked as described. I couldn’t believe this was the issue though!