R RockAI docs
/

Troubleshooting

Cloudflare 401

Widget chat and playground both fail with "Sorry โ€” something went wrong". Tail of storage/logs/laravel.log shows: 

Workers AI 401: {"success":false,"error":[{"code":2009,"message":"Unauthorized"}]}

Cloudflare rejected the API token Pitchbar sent on the Workers AI call. This page is the recovery playbook.

Diagnose

Run this curl command from your Pitchbar server, substituting the actual values from your .env or /settings/system โ†’ AI: 

ACCOUNT_ID="paste-32-char-hex-here"
TOKEN="paste-fresh-token-here"
curl -i -X POST "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/ai/run/@cf/baai/bge-base-en-v1.5" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"text":["hello"]}'

Three possible outcomes:

ResponseCauseFix
200 + JSON with floats Cloudflare is fine; Pitchbar is sending a stale cached token from bootstrap/cache/config.php. php artisan config:clear && php artisan cache:clear && php artisan view:clear
401 Account ID does not match the account this token was issued for, OR Workers AI is not enabled on this account, OR token was mistyped (whitespace, partial paste). See checklist below.
403 Token is valid for the account but lacks the Workers AI: Read scope. Re-issue the token with the correct scope. See "Required scopes" below.

401 checklist (in priority order)

  1. Confirm CLOUDFLARE_ACCOUNT_ID matches the account that issued the token. Log in to Cloudflare as the same email used to create the token โ†’ Workers & Pages โ†’ right sidebar โ†’ Account ID (32-char hex). Paste that into Pitchbar โ†’ Settings โ†’ System โ†’ AI โ†’ Cloudflare. The most common cause of 401 with a fresh token is a mismatched account ID.
  2. Confirm Workers AI is enabled on this account. Dashboard โ†’ AI โ†’ Workers AI. If you see a "Get started" button, click it to enable. Free tier covers most CodeCanyon-scale installs.
  3. Regenerate the token cleanly. Dashboard โ†’ My Profile โ†’ API Tokens โ†’ Create Token โ†’ Custom token. Use the scopes listed below. Account Resources: "Include โ†’ Specific account โ†’ your account". Copy the token string with no leading or trailing whitespace, paste into Pitchbar, save.
  4. Verify with the verify endpoint. 
    curl -i "https://api.cloudflare.com/client/v4/user/tokens/verify" \
  -H "Authorization: Bearer NEW_TOKEN"
    Expected: "status":"active". Confirms the token string itself is valid; doesn't confirm scope.

Required Cloudflare API token scopes

Pitchbar's default Cloudflare stack uses Workers AI for chat + embeddings, Vectorize for retrieval, and Cloudflare Browser Rendering for crawls. The token needs:

ScopeWhy
Workers AI: ReadChat + embedding inference
Vectorize: WriteIndex CRUD + query (write implies read)
Browser Rendering: WritePage crawl for knowledge sources
Workers Scripts: WriteOne-click cron worker deploy from /settings/system โ†’ Cron worker

Not required: AI Gateway, R2 Storage, Pages. Earlier versions of Pitchbar suggested AI Gateway scope โ€” that hint was misleading and was removed in v1.3.0.

After token works

Pitchbar config caches the token into bootstrap/cache/config.php on first request. After updating the token in /settings/system โ†’ AI, you must clear the cache: 

php artisan config:clear
php artisan cache:clear
php artisan view:clear

Then retry the playground at /admin/agents/{id}/playground. Should work immediately.