DTK0013: Unauthorized RPC Access
Package:
@vitejs/devtools
Message
Unauthorized access to method
{name}from client [{clientId}]
Cause
This error is thrown by the RPC resolver in createWsServer() when an untrusted WebSocket client attempts to call a non-anonymous RPC method. Methods whose names start with vite:anonymous: are exempt from authentication and can be called by any client; all other methods require the client to be trusted.
A client becomes trusted through one of these mechanisms:
- Client auth is disabled (build mode,
clientAuth: false, orVITE_DEVTOOLS_DISABLE_CLIENT_AUTH=true) -- all clients are auto-trusted. - Auth token in storage -- the client provides a
vite_devtools_auth_tokenquery parameter that matches a token stored innode_modules/.vite/devtools/auth.json. - Static auth tokens -- the token matches one of the tokens listed in
devtools.config.clientAuthTokens.
If none of these conditions are met, the client is untrusted and any call to a non-anonymous method triggers this error.
Example
A client connecting without a valid auth token:
// Client-side: connecting without authentication
const ws = new WebSocket('ws://localhost:7812')
// This client is untrusted
// Calling a protected method triggers DTK0013
await rpc.invoke('my-plugin:get-data')
// Error: Unauthorized access to method "my-plugin:get-data" from client [abc123]Fix
Provide a valid authentication token when connecting:
// Client-side: connecting with a valid auth token
const ws = new WebSocket(
'ws://localhost:7812?vite_devtools_auth_token=your-token-here'
)Or configure static trusted tokens in your Vite config:
import devtools from '@vitejs/devtools'
// vite.config.ts
import { defineConfig } from 'vite'
export default defineConfig({
plugins: [
devtools({
config: {
clientAuthTokens: ['your-trusted-token'],
},
}),
],
})If you are developing locally and want to skip authentication entirely, see DTK0008 for how to disable client auth.
Source
packages/core/src/node/ws.ts