Seeing `invalid signature: the signature value`...`is incorrect`

We ran across:

{
  "date": "2026-06-11T05:50:14.771Z",
  "type": "flo",
  "description": "invalid signature: the signature value ...== is incorrect",
  "connection_id": "",
  "client_id": "...",
  "client_name": "...",
  "ip": "...",
  "user_agent": "Edge 149.0.0 / Windows 10.0.0",
  "details": {
    "allowed_logout_url": []
  },
  "hostname": "...",
  "user_id": "",
  "user_name": "",
  "location_info": {
    ...
  },
  "$event_schema": {
    "version": "1.0.0"
  },
  "environment_name": "prod-us-1",
  "log_id": "90020260611055014807412000000000000001223372175632636094",
  "tenant_name": "...",
  "_id": "90020260611055014807412000000000000001223372175632636094",
  "isMobile": false,
  "id": "90020260611055014807412000000000000001223372175632636094"
}

There were a couple of other old posts about invalid signatures, but they didn’t say much. I’m leaving this here mostly so others can see it’s a thing.

As this is logout as opposed to login, I don’t think this is an attacker sending random garbage (it’s a real user; and they’re using our frontend which uses GitHub - auth0/auth0.js: Auth0 headless browser sdk · GitHub to manage things).

Hi @jsoref

Thank you for reaching out and sharing all the information!

I understand that you are seeing a “invalid signature: the signature value …== is incorrect” error message during logout.

The log event you provided features a log type of "type": "flo" , which translates to Failed Logout (User logout failed). This typically points to a signature validation failure during a federated Single Logout (SLO) handshake—specifically when Auth0 acts as a Service Provider (SP) connected to an external SAML/OIDC Identity Provider (IdP).

Allow me to share some possible causes for this behaviour and how to fix them:

  1. SAML SLO Endpoint Misconfiguration: In federated SAML setups, there is a known issue where Single Sign-Out fails because the exposed metadata or the IdP configuration points to the wrong logout endpoint. Double-check the Single Logout Service (SLS) URL in your Identity Provider and ensure it aligns with the correct /v2/logout format defined in Auth0’s SAML metadata. I recommend checking out the solution for the following topic on SAML SignOut Request yielding Invalid Signature log;

  2. IDP Certificate Rollovers & Desync: Verify that the public X.509 certificate uploaded under your Auth0 Enterprise Connection settings matches the active signing certificate on your external IdP;

  3. Signature Algorithm Mismatch (SHA-1 vs. SHA-256): Confirm that the signature algorithm preferences (e.g., RSA-SHA256 ) match perfectly on both the IdP settings and the Auth0 Connection configuration.

Hope the above information has helped you resolve the error!

Best regards,
Gerald