> ## Documentation Index
> Fetch the complete documentation index at: https://unkey.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# portal_token_missing

> A request to a portal-authenticated endpoint was made without a portal session token. Provide the session cookie or session header from the portal.

<Danger>`err:unkey:authentication:portal_token_missing`</Danger>

```json Example theme={"theme":"kanagawa-wave"}
{
  "meta": {
    "requestId": "req_2c9a0jf23l4k567"
  },
  "error": {
    "detail": "A portal session token is required for this request.",
    "status": 401,
    "title": "Unauthorized",
    "type": "https://unkey.com/docs/errors/unkey/authentication/portal_token_missing"
  }
}
```

## What Happened?

This error occurs when a request was made to an endpoint that requires a [Customer Portal](/quickstart/portal) session, but no session token was supplied. Portal-authenticated endpoints expect either:

* An `httpOnly` session cookie set by the portal after a successful session exchange, or
* An `Authorization: Bearer <portal-session-token>` header on direct API calls from a browser session.

Common causes include:

* The user's browser has cookies disabled or blocked for the portal domain.
* The session was never created — the user landed on the portal without going through `POST /v2/portal.exchangeSession`.
* A backend integration is calling a portal-only endpoint with a root key instead of a portal session token.
* The session cookie was cleared or the user opened the portal in a private/incognito window with stripped state.

## How To Fix

Make sure the user has an active portal session before calling portal endpoints:

1. From your backend, call `POST /v2/portal.createSession` with your root key to create a session.
2. Redirect the user to the returned `url`. The portal will exchange the short-lived session ID for a 24-hour browser session.
3. Subsequent requests from the browser must include the portal session cookie or token.

```bash theme={"theme":"kanagawa-wave"}
curl -X POST https://api.unkey.com/v2/portal.createSession \
  -H "Authorization: Bearer YOUR_ROOT_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "slug": "my-portal",
    "externalId": "user_123",
    "permissions": ["api.*.read_key"]
  }'
```

If you are calling the portal API directly from JavaScript, ensure your fetch includes credentials so the session cookie is sent:

```typescript theme={"theme":"kanagawa-wave"}
await fetch("https://api.unkey.com/v2/...", {
  credentials: "include",
});
```

## Common Mistakes

* **Calling portal endpoints with a root key**: Root keys authenticate backend requests, not portal endpoints. Use a portal session.
* **Missing `credentials: "include"`**: Cross-origin browser requests omit cookies by default.
* **Expired session not refreshed**: After 24 hours the session expires — your backend must create a new one.
* **Direct navigation to the portal**: Users must arrive via your backend redirect, not by visiting the portal URL directly.

## Related Errors

* [err:unkey:authentication:portal\_session\_not\_found](./portal_session_not_found) - When a portal session token is provided but invalid or expired
* [err:unkey:authentication:missing](./missing) - When no authentication credentials are provided to a non-portal endpoint
* [err:unkey:data:portal\_config\_not\_found](../data/portal_config_not_found) - When the portal configuration referenced by `slug` does not exist