# 20152: Invalid Header

Log Type: TWILIO

Log Level: ERROR

## Description

This error occurs when the header portion of the JWT presented for Public Key Client Validation does not meet Twilio's required structure or values (for example, missing required fields or using unsupported algorithms).

### Possible causes

* The JWT header omits required fields such as `cty`, `alg`, or `kid`, which Twilio marks as required for Public Key Client Validation.
* The `cty` value is not exactly `twilio-pkrv;v=1`.
* The `alg` value is not one of `RS256` or `PS256`, which are the only algorithms Twilio supports for this feature.
* The `typ` value is set to something other than `JWT` (other values are rejected), or the header is otherwise malformed.
* The JWT components are not correctly base64url-encoded and concatenated as `<base64URLencoded header>.<base64URLencoded claims>.<base64URLencoded signature>`.

### Possible solutions

* Construct the JWT header with the exact fields and values Twilio requires:
  * Set `cty` to `twilio-pkrv;v=1`.
  * Use `alg` as `RS256` or `PS256` only.
  * Include `kid` referencing the `CredentialSid` for the uploaded public key.
  * Use `typ` as `JWT` or omit it (defaults to `JWT`).
* Ensure the JWT is base64url-encoded and formed as `<base64URLencoded header>.<base64URLencoded claims>.<base64URLencoded signature>`.
* Upload your public key and reference it via the `CredentialSid` in `kid` so Twilio can validate the signature.
* Attach the generated JWT to your API request using the `Twilio-Client-Validation` header.

#### Additional resources

* [Public Key Client Validation Quickstart](/docs/iam/pkcv/quickstart)
* [Get Started with Public Key Client Validation](/docs/iam/pkcv)
* [Credentials API](/docs/iam/credentials/api)