Request Header or Cookie Too Large

Last Updated: Jul 31, 2024

Overview

When calling the /userinfo endpoint, it returns the error:

Request Header or Cookie Too Large

The error seems to have been returned from Nginx.

Applies To

  • Endpoint
  • Nginx

Cause

Auth0 has a hard limit on the header size (8k), and if the header size exceeds that limit, an error returned from Nginx is seen (reverse proxy software Auth0 uses for its APIs), saying Request Header or Cookie Too Large.

The issue can be reproduced with curl by carefully selecting the information passed in the request headers.

Having an Access Token with too many scopes can bloat its size. However, several other cases can cause this error.

  1. Cookie size in the Request Header.
  2. A Custom Domain with a Reverse Proxy is used, and that is adding additional cookies to the Request Header.

There are also some cases where this error can be reproduced in Postman. Postman adds a cookie to the request headers, and it’s not possible to remove that cookie from the request.

Solution

The solution to this issue is reducing the size of request headers. Ideally, removing any unnecessary cookies and request headers will help fix the issue.