Caddy handle_path /keygen/* → Keygen CE: ping/health OK, but /v1/accounts/<slug> and /tokens always 404

[pragatisd]

Hi Keygen team/community,

I’m self-hosting Keygen CE (keygen/api:latest) on a GCP VM using Docker. The web service is exposed on port 3005 (0.0.0.0:3005->3005/tcp). I’m using the VM’s Caddy to expose Keygen under a subpath and forward to the container.

What works

These endpoints work consistently (both directly and through Caddy):

1. curl -i http://127.0.0.1:3005/v1/health → 200
2. curl -i https:///keygen/v1/health → 200
3. curl -i https:///keygen/v1/ping → 200

What fails:-

Anything account-scoped fails and is routed to ErrorsController#show with 404 NOT_FOUND, e.g.:

1. GET https:///keygen/v1/accounts/ → 404
2. POST https:///keygen/v1/accounts//tokens → 404

Even though the account exists in the DB:

Account.count = 1

slug: (example: mtree-com)

Caddy config
{
handle_path /keygen/* {
reverse_proxy localhost:3005 {
header_up Host {host}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Host {host}
header_up X-Forwarded-Proto https
}
}
}

[pratikrath126]

Hey, the issue likely comes from missing headers. The /v1/health and /v1/ping endpoints are public and work without auth, but account/token routes require authentication (e.g., Cab-Key-id and Cab-Account headers) or a bearer token. Since Caddy is stripping only the path, you need to forward these headers from your client to Keygen. Add them in the reverse_proxy stanza:

handle_path /keygen/* {
  reverse_proxy localhost:3005 {
    header_up Host {host}
    header_up X-Forwarded-Proto https
    header_up Cab-Key-id {env.KEYGEN_PUBLIC_KEY_ID}
    header_up Cab-Account {env.KEYGEN_ACCOUNT_SLUG}
    # Or forward Authorization: Bearer <token>
  }
}

Also test directly against the container (curl http://localhost:3005/v1/accounts/<slug>) to confirm it works without Caddy. If that fails, the auth is missing there as well. Ensure you include the required headers per Keygen docs.

[ezekg]

Not sure what Cab-* headers are, but they aren't applicable to Keygen. The OP needs to specify the current account ID or slug. Calling GET /v1/accounts 404s because you can't list accounts, and POST /v1/accounts/tokens 404s because there's no account with the slug "tokens," and you can't POST to an account anyways. Try GET /v1/accounts/foo and POST /v1/accounts/foo/tokens, where "foo" is your account ID or slug. In singleplayer CE, you could also drop the /v1/accounts prefix entirely and just use /v1/tokens.