Overview
In Khoros Communities Aurora, a custom Endpoint can fail intermittently for anonymous users when it executes GraphQL using graphqlAdmin, returning HTTP 401 and GraphQL UNAUTHENTICATED errors (sometimes surfaced upstream as “proxy errors”).
A known issue in Aurora 25.11 is that custom endpoints that execute GraphQL mutations using graphqlAdmin can fail because the request is evaluated as if it is coming from a logged-out / unauthenticated user, and this issue is fixed in 25.12.[2]
If your environment is already on 25.12+ and you still see the behavior, treat this as a design / caller-context mismatch: graphqlAdmin is not a “service account” mechanism for truly anonymous callers.
Solution
Issue
A custom Endpoint intermittently fails for anonymous callers when the endpoint uses graphqlAdmin.
Common symptoms / exact errors
- HTTP status:
401 - GraphQL error code:
UNAUTHENTICATED - Messages such as:
"You are not authorized to make this request""Response not successful: Received status code 401"
- Errors that indicate the request is being evaluated as logged out/anonymous (for example,
UserRef[id=-1]appears in error output).[2]
Why it happens (root cause)
graphqlAdminis intended for use cases where a signed-in user context exists and you explicitly want elevated permissions for that signed-in identity.- If the request is truly anonymous (no signed-in identity context), it can be evaluated as unauthenticated. Depending on the specific operation and environment, this can surface as HTTP
401withUNAUTHENTICATED. - “Intermittent” behavior is commonly explained by whether the caller has a valid session at the time of the request (for example: some requests originate from a browser context with cookies, and other requests are truly anonymous/uncookied, or a proxy/client intermittently fails to forward cookies/headers).
Important note about Aurora versions
- If you are on Aurora 25.11, confirm whether you are hitting the known
graphqlAdminregression and upgrade to 25.12+.[2] - If you are already on 25.12+ and still see failures, the 25.11 regression is likely not applicable; review endpoint design and GraphQL client selection.[2]
Investigation checklist
- Confirm your Aurora version by calling:
https://YOUR_COMMUNITY_URL/t5/s/status/version
The version-check URL is documented in the official guidance for the Aurora 25.11 graphqlAdmin regression.[2]
- Capture the full error response body (not just the HTTP status) so you can confirm whether you are seeing
UNAUTHENTICATEDor logged-out indicators likeUserRef[id=-1].[2] - Confirm whether permission elevation is actually required. If the endpoint is intended to serve anonymous callers and does not require elevation,
graphqlAdminis usually the wrong client for that path.
Resolution (supported pattern)
The public Endpoints documentation describes that the endpoint handler’s context provides a client object with GraphQL clients (graphql and graphqlAdmin).[1]
If the endpoint is intended for anonymous users and does NOT need elevation
- Avoid
graphqlAdminfor the anonymous request path. - Use
graphqlfor the anonymous request path (and for normal signed-in requests as well, if admin elevation is not required).[1]
Example approach: one endpoint supporting all user types (anonymous + signed-in)
If you need one endpoint to support both anonymous and signed-in users, select the GraphQL client based on the caller identity. If your Endpoint SDK provides graphqlAnonymous, you can use it for anonymous calls and graphql for signed-in calls.
import type { EndpointHandlerContext } from "aurora/externalServerContext";
import boardQuery from "./queries/Board.query.graphql";
export default async function handler(context: EndpointHandlerContext) {
const {
client: { graphql, graphqlAnonymous },
server: { caller, response }
} = context;
const isAnonymous = caller?.uid === -1;
const gql = isAnonymous ? graphqlAnonymous : graphql;
const result = await gql.query({
query: boardQuery,
variables: {}
});
response.json(result);
}
If graphqlAnonymous is not available in your environment, a safe default for non-elevated flows is to use graphql for both anonymous and signed-in callers.
If you truly need elevated permissions
- Only use
graphqlAdminwhen the caller is authenticated and the use case is explicitly designed to elevate privileges for that signed-in identity.[1] - If you need “service account” style behavior for system-to-system calls, treat that as a separate design requirement (authenticated integration, token-based auth, or a dedicated server-side flow), not an anonymous browser flow.
Validation (how to verify the fix)
- Anonymous test: call the endpoint from an incognito/private browser session (no cookies).
- Authenticated test: call the endpoint while signed in.
- If a proxy/gateway is involved: verify it consistently forwards required headers/cookies for authenticated flows and does not apply auth rules that contradict the intended anonymous behavior.
FAQs
- How do I know if the Aurora 25.11 graphqlAdmin regression applies to me?
-
If you are running Aurora 25.11 and your custom endpoint uses
graphqlAdmin, you may see errors where GraphQL indicates the request is being evaluated as logged out/anonymous (for example,UserRef[id=-1]orUser must be registered).[2] - Is upgrading Aurora required to fix this?
-
Not necessarily. If you are already on 25.12+ and still see failures, the 25.11 regression is likely not applicable, and you should review whether the endpoint is using
graphqlAdminfor anonymous callers and whether that endpoint path actually needs elevation.[2] - What details should I provide to Support if the issue persists?
-
Provide the items listed in “What to provide to Support”: community URL(s), endpoint URL/name, GraphQL operation name, a sample request and the full error response, a failing timestamp with timezone, and your current Aurora version.[2]
Ciprian Nastase
Comments