api-wallet.web3auth.io/auth/verify returns 400 Bad Request because v10.15.0 generates signatures longer than the server's 500-characte

Embedded Wallets (Web3Auth)
1

  • Describe your issue or question:

    • Which platform or framework are you using (e.g., React, Vue, Android, iOS, Unity, Node, etc.)?

    • Which Web3Auth/ Embedded Wallet SDK (SDK Name and version) are you using?

    • What is not working as expected?

  • Code snippets: Include the portion of your code that is causing problems.

  • Exact error and logs: Copy any error messages or console logs.

  • Package details: Note versions for Web3Auth/MetaMask Embedded Wallets and any related packages.

What is this discussion about in one brief sentence?
api-wallet.web3auth.io/auth/verify returns 400 Bad Request because v10.15.0 generates signatures longer than the server’s 500-character limit.

Describe your issue or question:

After upgrading @web3auth/modal and @web3auth/no-modal from 10.14.1 to 10.15.0, social login (Google) completely breaks with
a 400 Bad Request from Web3Auth’s own verification server. Downgrading back to 10.14.1 fixes it.

Which platform or framework are you using?
React (Vite + TypeScript)

Which Web3Auth SDK (name and version)?

What is not working as expected?

After Google OAuth completes, Web3Auth internally calls POST https://api-wallet.web3auth.io/auth/verify and receives a 400
Bad Request. Login fails entirely. This did NOT happen on 10.14.1.

Exact error and logs:

POST https://api-wallet.web3auth.io/auth/verify
Status: 400 Bad Request

Response body:
{
“statusCode”: 400,
“error”: “Bad Request”,
“message”: “Validation failed”,
“validation”: {
“body”: {
“source”: “body”,
“keys”: [“signatures.0”],
“message”: ““signatures[0]” length must be less than or equal to 500 characters long”
}
}
}

The signatures array in the request body contains JSON strings like:
“{“data”:“eyJleHAiOjE3NzU5MDk3NDEs…(truncated)”,“sig”:“7b129e2f…”}”

In v10.15.0 the data field (base64-encoded JWT) includes additional fields, pushing each stringified signature object over
500 characters. The server’s validation still enforces the old <= 500 limit.

Code snippets:

No user code change needed — this is triggered purely by the SDK version bump. Standard init:

const web3auth = new Web3Auth({
clientId,
chains: [chainConfig],
web3AuthNetwork: WEB3AUTH_NETWORK.SAPPHIRE_MAINNET,
accountAbstractionConfig: {
smartAccountType: “safe”,
chains: [{ chainId: “0x2105”, bundlerConfig: { url: bundlerUrl }, paymasterConfig: { url: paymasterUrl } }],
},
});
await web3auth.init();
await web3auth.connectTo(“auth”, { authConnection: “google” });

Package details:

┌────────────────────────────────────────┬─────────┬─────────┐
│ Package │ Broken │ Working │
├────────────────────────────────────────┼─────────┼─────────┤
@web3auth/modal │ 10.15.0 │ 10.14.1 │
├────────────────────────────────────────┼─────────┼─────────┤
@web3auth/no-modal │ 10.15.0 │ 10.14.1 │
├────────────────────────────────────────┼─────────┼─────────┤
@web3auth/account-abstraction-provider │ 9.7.0 │ 9.7.0 │
└────────────────────────────────────────┴─────────┴─────────┘

Workaround: Pin to 10.14.1 (exact, no caret) until the server-side validation limit is increased to match the new signature
length.

2

Short summary: Upgrading @web3auth/modal / @web3auth/no-modal from 10.14.1 → 10.15.0 makes the SDK produce stringified signature objects >500 chars, causing POST https://api-wallet.web3auth.io/auth/verify to fail with a 400 validation error.

What I checked: I searched our Embedded Wallets knowledge base and didn’t find any existing doc/known-issue about v10.15.0 increasing signature length or server validation being updated.

Immediate recommendation (workaround): Pin @web3auth/modal and @web3auth/no-modal to 10.14.1 (exact, no caret) until server-side validation is adjusted.

If you want us to escalate: please paste (or redact PII and then paste) a single full failing POST /auth/verify request body (one signatures entry is enough) and the console SDK logs around the login call. You already provided great detail and repro steps — that’s enough for triage, but the request payload helps the infra team confirm the exact length/payload change.

Next steps from our side: I’ll escalate this to the Web3Auth/backend team to verify the validation limit and coordinate a server-side fix. A human engineer will follow up here once they investigate. If you prefer, opening an issue on the Web3Auth repo with the payload and SDK versions will speed visibility.

Note: This response was generated by an AI bot and may require further verification. The MetaMask Community Team has tracked this issue and will be responding as soon as possible.

Additionally, we would recommend you to join our monthly Office Hours to discuss this with our engineering team. MetaMask Developer Office Hours

3

Hi @Shubham_Raikwar ! Thanks for reporting this.

Previously we have other users reported the same error last week, and our team fixed it around the day that you created this post. Would you please confirm if you are still having this issue right now? If yes, kindly provide more details to us.
https://builder.metamask.io/t/auth-verify-fails-signatures-0-must-be-500-characters-account-abstraction