The logic for credentials and token authentication for web sockets seem to be inverted: credentials is trying to authenticate with token, and token with credentials.