Session expires : Token is invalid #1772

New Issue

Closed

opened 2026-02-05 01:45:45 +03:00 by OVERLORD · 1 comment

OVERLORD commented 2026-02-05 01:45:45 +03:00

Owner

Copy Link

Originally created by @Gamoth on GitHub (Nov 21, 2023).

Hello,

I'm trying to run vaultwarden from Docker behind a Nginx proxy however that after each user registration, I get the following message: session expires.

Whatever the browser (Firefox, Edge), in private mode or not.
I'm in the latest version of the container, and I've set the time to Europe/Paris.
I've also deleted the rsa_key* many times.

Below my command docker :
docker run --name vaultwarden -e TZ=Europe/Paris -e ADMIN_TOKEN=pouette -v /path/vw/:/data/ -p 8001:80 vaultwarden/server:latest

Below the last log :

[2023-11-21 18:09:27.512][request][INFO] POST /identity/accounts/prelogin
[2023-11-21 18:09:27.512][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK
[2023-11-21 18:09:27.779][request][INFO] POST /identity/connect/token
[2023-11-21 18:09:28.052][vaultwarden::api::identity][INFO] User user@domain.org logged in successfully. IP: x.x.x.x
[2023-11-21 18:09:28.052][response][INFO] (login) POST /identity/connect/token => 200 OK
[2023-11-21 18:09:28.084][request][INFO] GET /api/config
[2023-11-21 18:09:28.084][response][INFO] (config) GET /api/config => 200 OK
[2023-11-21 18:09:28.162][request][INFO] POST /identity/connect/token
[2023-11-21 18:09:28.163][response][INFO] (login) POST /identity/connect/token => 200 OK
[2023-11-21 18:09:28.206][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL
[2023-11-21 18:09:28.206][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from ipv6_adress
[2023-11-21 18:09:28.206][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK
[2023-11-21 18:09:28.215][request][INFO] GET /api/config
[2023-11-21 18:09:28.215][response][INFO] (config) GET /api/config => 200 OK
[2023-11-21 18:09:28.220][request][INFO] GET /api/sync?excludeDomains=true
[2023-11-21 18:09:28.220][vaultwarden::auth][ERROR] Token is invalid
[2023-11-21 18:09:28.220][auth][ERROR] Unauthorized Error: Invalid claim
[2023-11-21 18:09:28.220][vaultwarden::api::core::ciphers::_][WARN] Request guard Headers failed: "Invalid claim".
[2023-11-21 18:09:28.220][response][INFO] (sync) GET /api/sync?<data..> => 401 Unauthorized
[2023-11-21 18:09:28.287][request][INFO] GET /api/config
[2023-11-21 18:09:28.287][response][INFO] (config) GET /api/config => 200 OK
[2023-11-21 18:09:28.312][vaultwarden::api::notifications][INFO] Closing WS connection from ipv6_adress
[2023-11-21 18:09:28.312][rocket::server][ERROR] Upgraded websocket I/O handler failed: WebSocket protocol error: Sending after closing is not allowed
[2023-11-21 18:09:28.353][request][INFO] GET /api/config
[2023-11-21 18:09:28.353][response][INFO] (config) GET /api/config => 200 OK

Below is the diagnosis:

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.30.1
• Web-vault version: v2023.10.0
• OS/Arch: linux/x86_64
• Running within Docker: true (Base: Debian)
• Environment settings overridden: true
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: SQLite
• Database version: 3.44.0
• Clients used:
• Reverse proxy and version:
• Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden: ADMIN_TOKEN

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://**********************",
  "domain_origin": "*****://**********************",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": false,
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": null,
  "smtp_password": null,
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": false,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Can you help me?

Originally created by @Gamoth on GitHub (Nov 21, 2023). Hello, I'm trying to run vaultwarden from Docker behind a Nginx proxy however that after each user registration, I get the following message: session expires. Whatever the browser (Firefox, Edge), in private mode or not. I'm in the latest version of the container, and I've set the time to Europe/Paris. I've also deleted the rsa_key* many times. Below my command docker : `docker run --name vaultwarden -e TZ=Europe/Paris -e ADMIN_TOKEN=pouette -v /path/vw/:/data/ -p 8001:80 vaultwarden/server:latest ` Below the last log : > [2023-11-21 18:09:27.512][request][INFO] POST /identity/accounts/prelogin > [2023-11-21 18:09:27.512][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK > [2023-11-21 18:09:27.779][request][INFO] POST /identity/connect/token > [2023-11-21 18:09:28.052][vaultwarden::api::identity][INFO] User user@domain.org logged in successfully. IP: x.x.x.x > [2023-11-21 18:09:28.052][response][INFO] (login) POST /identity/connect/token => 200 OK > [2023-11-21 18:09:28.084][request][INFO] GET /api/config > [2023-11-21 18:09:28.084][response][INFO] (config) GET /api/config => 200 OK > [2023-11-21 18:09:28.162][request][INFO] POST /identity/connect/token > [2023-11-21 18:09:28.163][response][INFO] (login) POST /identity/connect/token => 200 OK > [2023-11-21 18:09:28.206][request][INFO] GET /notifications/hub?access_token=eyJ0eXAiOiJKV1QiL > [2023-11-21 18:09:28.206][vaultwarden::api::notifications][INFO] Accepting Rocket WS connection from ipv6_adress > [2023-11-21 18:09:28.206][response][INFO] (websockets_hub) GET /notifications/hub?<data..> => 200 OK > [2023-11-21 18:09:28.215][request][INFO] GET /api/config > [2023-11-21 18:09:28.215][response][INFO] (config) GET /api/config => 200 OK > [2023-11-21 18:09:28.220][request][INFO] GET /api/sync?excludeDomains=true > [2023-11-21 18:09:28.220][vaultwarden::auth][ERROR] Token is invalid > [2023-11-21 18:09:28.220][auth][ERROR] Unauthorized Error: Invalid claim > [2023-11-21 18:09:28.220][vaultwarden::api::core::ciphers::_][WARN] Request guard `Headers` failed: "Invalid claim". > [2023-11-21 18:09:28.220][response][INFO] (sync) GET /api/sync?<data..> => 401 Unauthorized > [2023-11-21 18:09:28.287][request][INFO] GET /api/config > [2023-11-21 18:09:28.287][response][INFO] (config) GET /api/config => 200 OK > [2023-11-21 18:09:28.312][vaultwarden::api::notifications][INFO] Closing WS connection from ipv6_adress > [2023-11-21 18:09:28.312][rocket::server][ERROR] Upgraded websocket I/O handler failed: WebSocket protocol error: Sending after closing is not allowed > [2023-11-21 18:09:28.353][request][INFO] GET /api/config > [2023-11-21 18:09:28.353][response][INFO] (config) GET /api/config => 200 OK Below is the diagnosis: ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.30.1 * Web-vault version: v2023.10.0 * OS/Arch: linux/x86_64 * Running within Docker: true (Base: Debian) * Environment settings overridden: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Database type: SQLite * Database version: 3.44.0 * Clients used: * Reverse proxy and version: * Other relevant information: ### Config (Generated via diagnostics page) <details><summary>Show Running Config</summary> **Environment settings which are overridden:** ADMIN_TOKEN ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://**********************", "domain_origin": "*****://**********************", "domain_path": "", "domain_set": true, "duo_host": null, "duo_ikey": null, "duo_skey": null, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "extended_logging": true, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "Info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "push_enabled": false, "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": true, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "", "smtp_from_name": "Vaultwarden", "smtp_host": null, "smtp_password": null, "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": null, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "websocket_address": "0.0.0.0", "websocket_enabled": false, "websocket_port": 3012, "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> Can you help me?

OVERLORD closed this issue 2026-02-05 01:45:46 +03:00

OVERLORD commented 2026-02-05 01:45:48 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Nov 21, 2023):

Deleting the rsa key files or using private browser doesn't help since those do not keep the token in memory/cache, and deleting cause all tokens to be invalid ever generated.

1. Make sure the rsa files stays the same
2. Do not use a private browser
3. Do not use extensions which block or clear cookies or local storage
4. Check your reverse proxy, make sure no WAF or Security extension/config breaks the communication. Some might limit the header size, or rewrite them.

@BlackDex commented on GitHub (Nov 21, 2023): Deleting the rsa key files or using private browser doesn't help since those do not keep the token in memory/cache, and deleting cause all tokens to be invalid ever generated. 1. Make sure the rsa files stays the same 2. Do not use a private browser 3. Do not use extensions which block or clear cookies or local storage 4. Check your reverse proxy, make sure no WAF or Security extension/config breaks the communication. Some might limit the header size, or rewrite them.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

cached-config-operations

test_dylint

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

troubleshooting

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#1772