Troubleshooting

This guide covers common runtime execution failures, delegated identity issues, and security enforcement behaviors encountered while integrating with the Ephos Execution Gateway.

Q: Why is the Execution Gateway returning 403 ACCESS_DENIED?

This usually occurs because the requested destination violates the token's constrained outbound execution policy. Verify that the targetUrl matches the permitted domains configured for the Phantom Key or Ephos Token.

Q: Why is the Execution Gateway returning "Token not scoped for this service"?

The service parameter passed in your SDK initialization or API execution request is case-sensitive. It must match the registered service name from your Ephos Dashboard exactly (for example, TAVILY [DEV] is different from tavily [DEV]). Ensure the casing is identical to the entry in your dashboard key inventory.

Q: Why is the Execution Gateway returning 401 UNAUTHORIZED?

Check the expiration status of your Ephos Token. If the token was manually revoked or reached its TTL, you must mint a new one in the Dashboard. Also ensure your headers are correctly configured: X-Ephos-Token: et_live_xxx and X-Ephos-Secret: ps_live_xxx.

Q: The Vault is "Frozen".

A "Security Freeze" can only be lifted by an Organization Administrator. If your vault is frozen, it means the master decryption keys are temporarily disabled in the enclave to prevent exfiltration during a suspected compromise.

Q: I lost my Master Passphrase.

Important: Ephos cannot recover lost Master Passphrases. Because the platform operates under a zero-knowledge architecture, passphrases are never stored server-side and cannot be reset or retrieved.

If the Master Passphrase is permanently lost, encrypted Phantom Keys become unrecoverable and a new vault must be initialized.

Q: MCP Tool Discovery is failing.

Ensure your Ephos Token has the necessary scopes for the tools you're trying to use. The MCP gateway filters available tools based on the permissions granted to the provided token.

Q: My Claude Desktop / Cursor MCP connection status is "Failed to connect" or "Stuck in connecting".

This is commonly caused by configuration syntax or connection issues. Verify the following:

  • Verify the Path: Make sure the connection URL ends in /mcp/sse (e.g., https://auth.phantom-projects.com/mcp/sse). Without the /sse pathname, the remote agent will hit the root gateway proxy and receive a 404/method not allowed error.
  • Check Header Flags: Ensure the token and secret are explicitly passed via the --header argument. The mcp-remote package is a generic wrapper; it does not automatically forward custom environment variables as HTTP headers.
  • Double Check Keys: Ensure the environment variables are referenced correctly inside the arguments (e.g., "X-Ephos-Token: ${EPHOS_TOKEN}"). Note that variable substitution syntax is client-specific; if your client does not support it, write the actual credentials directly into the --header strings.
Q: Derived Execution Authentication is failing.

Verify that the local PBKDF2 derivation flow completed successfully and that the derived execution credential matches the active Ephos Token. Derived authentication failures are commonly caused by expired tokens, incorrect salts, or stale local credential caches.