Troubleshooting
CLI and MCP Auth
Section titled “CLI and MCP Auth”Symptom: login polling never authorizes
Section titled “Symptom: login polling never authorizes”What to check:
- Ensure you approved the exact device code in the browser approval flow.
- Confirm CLI/MCP is targeting the same control plane URL shown in the browser.
- Wait for poll interval and avoid excessive polling to prevent
slow_down.
Recovery:
- Run login again to generate a fresh device code.
- Approve the new user code in the web app.
- Poll again with the new
deviceCode.
Symptom: 401 on authenticated commands
Section titled “Symptom: 401 on authenticated commands”What to check:
- Local auth store may be missing, expired, or tied to another control plane URL.
Recovery:
- Run
roberto auth refresh. - If refresh fails, run
roberto auth logout --local-only. - Run
roberto auth loginagain.
Runtime Update Flow
Section titled “Runtime Update Flow”Symptom: runtime apply fails with approval or grant errors
Section titled “Symptom: runtime apply fails with approval or grant errors”What to check:
approved=trueis required for apply calls.- Grant token must match runtime/agent/channel/target version and must be unexpired.
Recovery:
- Re-check update state (
runtime-check-updatesor agent update status). - Issue a fresh grant token.
- Re-run apply with
--approve --grant-token <token>.
Symptom: script download fails during apply
Section titled “Symptom: script download fails during apply”What to check:
- Runtime access token validity.
- Script URL must come from the control plane update decision payload.
Recovery:
- Refresh runtime auth token.
- Re-run check to get current script URLs.
- Re-run apply.
Billing and Entitlements
Section titled “Billing and Entitlements”Symptom: cannot provision/start or gateway returns billing-related rejection
Section titled “Symptom: cannot provision/start or gateway returns billing-related rejection”What to check:
- Current entitlement flags and subscription status.
- Credits/subscription state may be out of sync after billing changes.
Recovery:
- Run
roberto billing statusandroberto billing summary. - Run
roberto billing sync. - If provisioning remains blocked, run
roberto billing setupor open billing portal.
Symptom: checkout or portal session creation fails
Section titled “Symptom: checkout or portal session creation fails”What to check:
- Confirm you are authenticated (
roberto auth whoami). - Check current billing readiness (
roberto billing status). - If you do not have an active subscription/customer yet, use
roberto billing setup.
Recovery:
- Re-run with
roberto billing checkout,roberto billing credits-checkout, orroberto billing portalto capture exact API error payload. - Retry from the web settings billing page.
- If the error persists, contact your workspace admin/support with timestamp + command output.
Gateway Access
Section titled “Gateway Access”Symptom: 401 from /api/gateway/*
Section titled “Symptom: 401 from /api/gateway/*”What to check:
- Gateway token must be provided via
Authorizationorx-api-key. - Token must belong to the target agent.
Recovery:
- Re-fetch gateway credentials for the agent.
- Retry request with the new credential.
Symptom: 503 from managed gateway
Section titled “Symptom: 503 from managed gateway”What to check:
- Managed provider may be temporarily unavailable.
Recovery:
- Retry request after a short delay.
- If persistent, contact your workspace admin/support with request timestamp.
Usage Webhooks
Section titled “Usage Webhooks”Symptom: webhook requests rejected
Section titled “Symptom: webhook requests rejected”What to check:
agentIdquery parameter is required.- JSON body must be valid and include numeric usage fields.
- Signature header may be mandatory depending on deployment config.
Recovery:
- Include valid
agentId. - Sign payload with expected secret and set
x-roberto-signaturewhen enabled. - Use
x-idempotency-keyto safely retry delivery.