Help ! Local Source Code Start 401 (UNAUTHORIZED)

[ljy19920616]

Self Checks

• I have searched for existing issues search for existing issues, including closed ones.
• I confirm that I am using English to submit this report (我已阅读并同意 Language Policy).
• [FOR CHINESE USERS] 请务必使用英文提交 Issue，否则会被关闭。谢谢！:)
• Please do not modify this template :) and fill in all the required fields.

1. Is this request related to a challenge you're experiencing? Tell me about your story.

I followed the documentation to complete the Local Source Code Start deployment, but during login, the console continuously outputs the following errors:
GET http://localhost:5001/console/api/account/profile 401 (UNAUTHORIZED)POST http://localhost:5001/console/api/refresh-token 401 (UNAUTHORIZED)
I'm not sure which configurations need to be modified to successfully log in.

I have checked some resources, and some mention that I need to modify the following configurations in /dify/api/.env:

WEB_API_CORS_ALLOW_ORIGINS=*
CONSOLE_CORS_ALLOW_ORIGINS=*
CONSOLE_API_URL=http://localhost:5001/console/api
CONSOLE_WEB_URL=http://localhost:3000
SERVICE_API_URL=http://localhost:5001/api
APP_WEB_URL=http://localhost:3000

What values should these configurations be set to?

2. Additional context or comments

No response

[dosubot[bot]]

Hi @ljy19920616! I'm Dosu and I’m helping the dify team.

For local development, set your /dify/api/.env variables like this:

WEB_API_CORS_ALLOW_ORIGINS=http://localhost:3000,*
CONSOLE_CORS_ALLOW_ORIGINS=http://localhost:3000,*
CONSOLE_API_URL=http://localhost:5001
CONSOLE_WEB_URL=http://localhost:3000
SERVICE_API_URL=http://localhost:5001
APP_WEB_URL=http://localhost:3000

These values ensure the frontend (on port 3000) and backend/API (on port 5001) can communicate and exchange authentication tokens without CORS issues. The * allows all origins, but explicitly including http://localhost:3000 is important for cookies and credentials to work during login [.env.example].

Make sure you also:

• Set a strong SECRET_KEY in your .env for session security.
• Expose port 5001 in your Docker or local setup so the frontend can reach the API [plugin issue].
• Restart all services after changing .env.

If you still get 401 errors, check that your browser allows cookies for localhost, and that you’re not mixing up ports or protocols in your URLs. Recent changes in Dify require that session and user IDs match exactly during authentication, so mismatched or stale cookies can also cause 401s [PR #28297].

If you’re using OAuth login, make sure the redirect URIs in your provider settings match your CONSOLE_API_URL exactly, including protocol and port.

Let me know if you’re still stuck after these steps!

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

   

[ljy19920616]

@dosu

After following the solution you provided, I still encountered the same error. I have listed the operation steps and hope to get your help.

1. I have completed the modification of the variables in /dify/api/.env and set the SECRET_KEY.

SECRET_KEY=O2Il+S/DUU3LrcOtCRdPS/73ufwzzX6KVl8V2EoHBYPXE8l1+dphH1Gp
WEB_API_CORS_ALLOW_ORIGINS=http://localhost:3000,*
CONSOLE_CORS_ALLOW_ORIGINS=http://localhost:3000,*
CONSOLE_API_URL=http://localhost:5001
CONSOLE_WEB_URL=http://localhost:3000
SERVICE_API_URL=http://localhost:5001
APP_WEB_URL=http://localhost:3000

2. Next, I first stopped the API service and worker service,
   ps aux | grep -E 'uv|flask|celery' | grep -v grep | awk '{print $2}' | xargs kill -9 2>/dev/null

3. and confirmed there were no remaining processes.
   ps aux | grep -E 'uv|flask|celery'

4. Then, I restarted the API service in the /dify/api/ directory,
   uv run flask run --host 0.0.0.0 --port=5001 --debug

2025-12-08 06:06:50,869 INFO [utils.py:164] NumExpr defaulting to 8 threads.

• Debug mode: off
  2025-12-08 06:06:52,259 INFO [_internal.py:97] WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
• Running on all addresses (0.0.0.0)
• Running on http://127.0.0.1:5001
• Running on http://192.168.0.149:5001
  2025-12-08 06:06:52,259 INFO [_internal.py:97] Press CTRL+C to quit

5. and restarted the worker service.
   uv run celery -A app.celery worker -P gevent -c 1 --loglevel INFO -Q dataset,generation,mail,ops_trace

...I’ve omitted some logs here as there are too many of them.
2025-12-08 06:07:23,808 INFO [connection.py:22] Connected to redis://:@localhost:6379/1
2025-12-08 06:07:23,813 INFO [mingle.py:40] mingle: searching for neighbors
2025-12-08 06:07:24,841 INFO [mingle.py:49] mingle: all alone
2025-12-08 06:07:24,878 INFO [worker.py:176] celery@localhost.localdomain ready.
2025-12-08 06:07:24,886 INFO [pidbox.py:111] pidbox: Connected to redis://:@localhost:6379/1.

6. Next, I ensured the variables in the frontend’s /dify/web/.env.local were correct (in fact, I only copied .env.example from the same directory and made no changes to it).
   NEXT_PUBLIC_API_PREFIX=http://localhost:5001/console/api
   NEXT_PUBLIC_PUBLIC_API_PREFIX=http://localhost:5001/api

7. After that, I restarted the frontend project with pnpm start.
   Starting server on localhost.localdomain:3000
   Server script path: .next/standalone/server.js
   Environment variables - PORT: 3000, HOSTNAME: localhost.localdomain
   ▲ Next.js 15.5.6

   • Local: http://localhost.localdomain:3000
   • Network: http://localhost.localdomain:3000
     ✓ Starting...
     ✓ Ready in 166ms

8. When I accessed http://localhost:3000, I encountered the exact same error as before, and I have attached some screenshots for reference.

The first two screenshots were captured when accessing http://localhost:3000.

The latter two screenshots were captured after logging in — a series of errors appeared, and I was eventually redirected back to the login page.

It seems that the login was successful, but the cookies failed to be set properly.
I am using Google Chrome and have already allowed all third-party cookies.

[Retake-Red]

I have the same question.The backend is on the server, but my frontend project start at localhost,and the browser can't set cookies because of secure policy. I also set https but it didn't works. Until now I still have no way to access the backend.
I'm curious this project not allow the frontend to start independently?

[anntnzrb]

Generate a SECRET_KEY in /api/.env: sed -i "/^SECRET_KEY=/c\\SECRET_KEY=$(openssl rand -base64 42)" .env (Linux) or equivalent for macOS. The 401 errors occur because JWT tokens cannot be signed/verified without a valid SECRET_KEY. Your CORS/URL configs look correct. See /api/README.md:33-42 for setup instructions.