Execution error: Only "["any","guests"]" scopes are allowed

Hi, I've seen other people run into this but I can't figure out what the cause/solution is. As seen in the screenshot, I set execute access for a function to three arbitrarily-chosen users. When logged in as one of these users I try to execute the function and receive a permission error that makes no sense:

Execution error: Missing "execute" permission for role "user:653de390a6aab7c3d17c". Only "["any","guests"]" scopes are allowed and "["user:6531eb66c2b6eb9b07ab","user:651d158c191f52af83ef","user:653de390a6aab7c3d17c"]" was given.

What does it mean that only "any" and "guest" permissions are allowed? As it says, the function works fine when I set it to "Any." But I want to limit access to User 653de390a6aab7c3d17c. How do I do that?

I think the error might be backwards. You're actually unauthenticated

Then how does it know I'm executing as User 653de390a6aab7c3d17c?

It doesn't. It's a misleading error

Hmm okay. I'll double-check how I'm doing authentication.

In any case, as well as being misleading, the error also seems like it leaks some sensitive info regarding how the function's permissions are set up

For posterity, if anyone else runs into this, the error is actually telling the truth.

When you access a function via custom domain name (e.g. 6537ac5a24.appwrite.global OR function1.wintermutation.com) only "Any" or "Guest" permissions are allowed. You can't authenticate as a client at all, be it with JWT or Session Cookie.

Instead, to make an authenticated call to a function a client needs to do a POST to {endpoint}/v1/functions/{functionId}/executions with the "X-Appwrite-JWT" header set.

Correct me if I'm wrong

Headers set in the request body, right?

Er wait no

That would just forward the header to the function....

Is that what you meant?