Making it obvious that API key is invalid - error otherwise is quite cryptic.

packages/backend-core/src/middleware/authenticated.ts

@@ -48,22 +48,31 @@ async function checkApiKey(apiKey: string, populateUser?: Function) {
   const decrypted = decrypt(apiKey)
   const tenantId = decrypted.split(SEPARATOR)[0]
   return doInTenant(tenantId, async () => {
-    const db = getGlobalDB()
+    let userId
-    // api key is encrypted in the database
+    try {
-    const userId = (await queryGlobalView(
+      const db = getGlobalDB()
-      ViewName.BY_API_KEY,
+      // api key is encrypted in the database
-      {
+      userId = (await queryGlobalView(
-        key: apiKey,
+        ViewName.BY_API_KEY,
-      },
+        {
-      db
+          key: apiKey,
-    )) as string
+        },
+        db
+      )) as string
+    } catch (err) {
+      userId = undefined
+    }
     if (userId) {
       return {
         valid: true,
         user: await getUser(userId, tenantId, populateUser),
       }
     } else {
-      throw "Invalid API key"
+      throw {
+        message:
+          "Invalid API key - may need re-generated, or user doesn't exist",
+        name: "InvalidApiKey",
+      }
     }
   })
 }
@@ -164,8 +173,10 @@ export default function (
       console.error(`Auth Error: ${err.message}`)
       console.error(err)
       // invalid token, clear the cookie
-      if (err && err.name === "JsonWebTokenError") {
+      if (err?.name === "JsonWebTokenError") {
         clearCookie(ctx, Cookie.Auth)
+      } else if (err?.name === "InvalidApiKey") {
+        ctx.throw(403, err.message)
       }
       // allow configuring for public access
       if ((opts && opts.publicAllowed) || publicEndpoint) {