Skip to content

DTK0013: Unauthorized RPC Access

Package: @vitejs/devtools

Message

Unauthorized access to method {name} from client [{clientId}]

Cause

This error is thrown by the RPC resolver in createWsServer() when an untrusted WebSocket client attempts to call a non-anonymous RPC method. Methods whose names start with vite:anonymous: are exempt from authentication and can be called by any client; all other methods require the client to be trusted.

A client becomes trusted through one of these mechanisms:

  1. Client auth is disabled (build mode, clientAuth: false, or VITE_DEVTOOLS_DISABLE_CLIENT_AUTH=true) -- all clients are auto-trusted.
  2. Auth token in storage -- the client provides a vite_devtools_auth_token query parameter that matches a token stored in node_modules/.vite/devtools/auth.json.
  3. Static auth tokens -- the token matches one of the tokens listed in devtools.config.clientAuthTokens.

If none of these conditions are met, the client is untrusted and any call to a non-anonymous method triggers this error.

Example

A client connecting without a valid auth token:

ts
// Client-side: connecting without authentication
const ws = new WebSocket('ws://localhost:7812')
// This client is untrusted

// Calling a protected method triggers DTK0013
await rpc.invoke('my-plugin:get-data')
// Error: Unauthorized access to method "my-plugin:get-data" from client [abc123]

Fix

Provide a valid authentication token when connecting:

ts
// Client-side: connecting with a valid auth token
const ws = new WebSocket(
  'ws://localhost:7812?vite_devtools_auth_token=your-token-here'
)

Or configure static trusted tokens in your Vite config:

ts
import devtools from '@vitejs/devtools'
// vite.config.ts
import { defineConfig } from 'vite'

export default defineConfig({
  plugins: [
    devtools({
      config: {
        clientAuthTokens: ['your-trusted-token'],
      },
    }),
  ],
})

If you are developing locally and want to skip authentication entirely, see DTK0008 for how to disable client auth.

Source

packages/core/src/node/ws.ts

Released under the MIT License.