Troubleshooting
401 Unauthorized on every endpoint
Cause: RequireAuthenticatedUser defaults to true, and you have not configured auth correctly.
What to check:
app.UseAuthentication()runs beforeapp.UseAuthorization().app.MapPrimusMembershipEndpoints()is mapped after auth middleware.- Your authenticated principal includes
NameIdentifier.
InvalidOperationException about missing NameIdentifier
Cause: the current implementation requires ClaimTypes.NameIdentifier on authenticated principals.
What to check:
- Your auth handler or identity provider maps a stable user ID into
NameIdentifier. - You are not relying only on
subor email without mappingNameIdentifier.
404 Not Found on membership, invitation, or active-tenant routes
Cause: the record is genuinely missing in the current implementation.
Examples:
- Active tenant was never selected.
- Invitation ID does not exist.
- Membership was already deleted or never created.
Invitation acceptance fails
Common causes:
- Email mismatch while
RequireMatchingEmailOnAcceptanceistrue. - Token payload does not match the invitation route.
- The invitation is revoked, expired, or already consumed.
- Protection errors fail closed while
FailClosedOnProtectionErrorsistrue.
Bootstrap admin fails unexpectedly
Common causes:
- The tenant already has an active membership for that user.
- Host-level policy configuration blocks the admin route.
- You expected bootstrap to create RBAC assignments automatically without the RBAC bridge.
Current run evidence
sdk/dotnet/tests/PrimusSaaS.Memberships.Tests/Integration/MembershipEndpointEdgeCaseTests.csCurrent run covers auth defaults, missing-NameIdentifier, missing records, and policy metadata.sdk/dotnet/tests/PrimusSaaS.Memberships.Tests/Unit/InvitationServiceTests.csCurrent run covers wrong-email acceptance and revoked invitation rejection.sdk/dotnet/tests/PrimusSaaS.Memberships.Tests/Unit/MembershipsRiskReductionTests.csCurrent run covers token-route mismatch, expired or consumed invitation behavior, fail-closed protection errors, and bootstrap duplicate protection.