Error: Invalid JWT audience. When connecting to Cloud Run using IAP

[IsmailMehdi]

Prerequisites

• I've searched the current open issues
• I've updated to the latest version of Toolbox
• I've updated to the latest version of the SDK

Toolbox version

toolbox version 0.23.0+binary.linux.amd64.466aef0

Environment

1. OS type and version: (output of uname -a): Linux bastion-evalbench-20251212-222704 6.17.0-1005-gcp feat!: Add Toolbox LangChain SDK code from 'main' branch of https://g… #5-Ubuntu SMP Sat Nov 22 06:06:50 UTC 2025 x86_64 GNU/Linux
2. How are you running Toolbox:

• As a container (e.g. from us-central1-docker.pkg.dev/database-toolbox/toolbox/toolbox:$VERSION) in cloudrun

3. Python version (output of python --version): Python 3.13.7
4. pip version (output of pip --version):
   uv 0.9.18

Client

1. Client: sample python
2. Version: (pip show <package-name>)? e.g.

• toolbox-core version 0.5.4

3. Example: If possible, please include your code of configuration:

# Code goes here! 
import asyncio
from toolbox_core import ToolboxClient, auth_methods

# Replace with the Cloud Run service URL generated in the previous step
URL = "https://toolbox-dataagent-898603957982.us-central1.run.app"

auth_token_provider = auth_methods.get_google_id_token(URL)  # can also use sync method


async def main():
    async with ToolboxClient(
        URL,
        client_headers={"Authorization": auth_token_provider},
    ) as toolbox:
        toolset = await toolbox.load_toolset()
        print(toolset)


asyncio.run(main())

Expected Behavior

The client should be able to connect to toolbox and load the toolset.

Current Behavior

RuntimeError: API request failed with status 401 (Unauthorized). Server response: Invalid IAP credentials: Invalid bearer token. Invalid JWT audience.

Steps to reproduce?

1. ?
2. ?
3. ?
   ...

Additional Details

Toolbox is deployed into Cloud Run with "Enable IAP from Cloud Run" enabled and users added to the binding.

[twishabansal]

Hi @IsmailMehdi . Thank you for raising this issue and I'm currently investigating. To make this process quicker, can you tell me if this method works if you have only IAM enabled without IAP?

[IsmailMehdi]

Hi @IsmailMehdi . Thank you for raising this issue and I'm currently investigating. To make this process quicker, can you tell me if this method works if you have only IAM enabled without IAP?

I tried today, same issue with regular IAM.

[twishabansal]

@IsmailMehdi I'm working on an IAP fix. However, I was able to make this work using regular IAM.

Please perform the following checks:

1. Check if your ADC is set up correctly. You can run gcloud auth application-default login to login again using your user account (xyz@google.com) . I am assuming that you're using your own user account and not a service account.
2. Ensure your user account has the IAM permission (Cloud Run Invoker).

[twishabansal]

@IsmailMehdi there have been some auth issues (eg.) with MCP propagation. The next release should fix that.

Meanwhile please update your toolbox-core version

pip install --upgrade toolbox-core

and specify the protocol to be toolbox using this code

from toolbox_core.protocol import Protocol

async with ToolboxClient(
        URL,
        client_headers={"Authorization": auth_token_provider},
        protocol=Protocol.TOOLBOX
    ) as toolbox:

[charlesdassonville]

Same issue with regular IAM. Simply adding protocol=Protocol.TOOLBOX fixed this issue.
May we update documentation?

• https://googleapis.github.io/genai-toolbox/how-to/deploy_toolbox/
• https://pypi.org/project/toolbox-core/#client-to-server-authentication

[twishabansal]

@charlesdassonville I have created a PR to add some docs for this: googleapis/genai-toolbox#2320.

However, this should work without specifying the protocol on next release, so keeping the pypi docs the same for now.