After extensive troubleshooting, the issue was resolved thanks to the insight provided by @Doug Stevenson in the comments. Switching to the proper require("firebase-functions/v2/https") import and using the onCall((request) => { ... }) signature, along with accessing secrets/config via defineSecret/defineString and request.auth / request.data, completely resolved the contradictory auth: "VALID" + 401 error. The v1 compatibility layer seems to have issues correctly propagating the validated auth context in this scenario.