GetAccessToken gives user does not exist

I’m running a simple servicestack service that uses the following setup:

            public override void Configure(Container container)
            Plugins.Add((new AuthFeature(() => new AuthUserSession(),
                new IAuthProvider[]
                    new MyXPOCredentialsAuthProvider() {Provider = "XAF"},
                    new JwtAuthProvider(AppSettings) { AuthKey = AesUtils.CreateKey(), RequireSecureConnection = false,
                        ExpireTokensIn = new TimeSpan(0,1,0,0,0),
                        ExpireRefreshTokensIn = new TimeSpan(0,8,0,0,0)}
            ){IncludeAssignRoleServices = false,}));
            container.Register(new MemoryCacheClient());
            var userRep = new InMemoryAuthRepository();
            Plugins.Add(new PostmanFeature());
            Plugins.Add(new CorsFeature());
            Plugins.Add(new OpenApiFeature());
            Plugins.Add(new SessionFeature());


Everything goes ok with authentication and I get a BearerToken and a RefreshToken. However when trying /acces-token (using the Swagger UI) I get an error stating that ‘User does not exist’. How would I solve this?


Not sure what you’re doing trying to call GetAccessToken directly using the Swagger Ui but it requires a valid Refresh Token in order to retrieve a new JWT BearerToken.

I was trying to emulate an error report from a third party using the service. They are using PHP and I thought it would be easiest to try and use the Swagger UI. So I authenticate using the swagger UI and copy and past the refresh token that I receive in the response.

I must admit I never used the JWT authorization stuff before and am somewhat struggling to understand how all the stuff works given the many options (and translate that to a party using PHP).


The JWT Bearer and Refresh Tokens should just be treated like opaque strings so it shouldn’t matter which client is used to send them as long as they’re sent Authorization HTTP Request Header:

Authorization: Bearer <token>

Or with the ss-tok Cookie.

If you’re not using any of the ServiceStack Service Clients which contain built-in support for JWT’s I’d recommend having external clients authenticate using UseTokenCookie=true, e.g:

var authResponse = client.Send(new Authenticate {
    provider = "credentials",
    UserName = username,
    Password = password,
    UseTokenCookie = true

So the JWT is returned in the ss-tok Cookie as HTTP Clients typically automatically resend any Cookies so you wouldn’t need to extract the JWT and configure it on the Authorization HTTP Header of the client you’re using.

The above request roughly translates to the HTTP POST Request:

Content-Type: application/x-www-form-urlencoded


If using normal Form POST data or you could send a serialize JSON Request Body instead if it’s easier from PHP. When in doubt start from a working C# Example and Use Fiddler to capture the raw HTTP Headers and compare them with what the PHP client is sending.

Note AuthKey = AesUtils.CreateKey() generates a new Auth Key each time the App Domain is restarted, I’d recommend configuring your AppHost to use the same Base64 Auth Key instead as mentioned in the start of the JWT docs so JWT’s created are valid beyond App restarts.