unauthorized

Summary

public key not authorized

Help

add the key to [admin].authorized or to the authorized_keys file on the agent host

Details

When this fires

Headers parsed, timestamp was in window, nonce was fresh, but the public key in x-nanook-key did not match any entry in the agent's AuthorizedKeys set. That set is built from [admin].authorized (inline lines in nanook.toml) plus any file pointed at by [admin].authorized_keys. User-visible symptom: nanook ctl returns a clean 401 even though signing worked locally.

What to check

• Print your local pubkey and compare it to the agent's trust list:

nanook keygen --print-pub

• Add the matching ssh-ed25519 <b64> <comment> line to [admin].authorized (or the configured authorized_keys file), then nanook ctl reload so the agent picks it up.