[GH-ISSUE #6610] Logged out from every single client after last update #15270

New Issue

Closed

opened 2026-04-23 07:08:28 -05:00 by GiteaMirror · 44 comments

GiteaMirror commented 2026-04-23 07:08:28 -05:00

Owner

Copy Link

Originally created by @xJayMorex on GitHub (Dec 28, 2025).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6610

Prerequisites

• I have searched the existing Closed AND Open Issues AND Discussions
• I have searched and read the documentation

Vaultwarden Support String

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.35.0
• Web-vault version: v2025.12.0
• OS/Arch: linux/x86_64
• Running within a container: true (Base: Debian)
• Database type: PostgreSQL
• Database version: PostgreSQL 18.1 (Debian 18.1-1.pgdg13+2) on x86_64-pc-linux-gnu, compiled by gcc (Debian 14.2.0-19) 14.2.0, 64-bit
• Uses config.json: false
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: false
• Server/NTP Time Check: false
• Domain Configuration Check: true
• HTTPS Check: true
• Websocket Check: true
• HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "**********://**********************************************************************************************************************************************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "dns_prefer_ipv6": false,
  "domain": "*****://************",
  "domain_origin": "*****://************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_auth": "0 20 0 * * *",
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "",
  "smtp_from_name": "***********",
  "smtp_host": null,
  "smtp_password": null,
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "sso_allow_unknown_email_verification": false,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://*****************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": false,
  "sso_master_password_policy": null,
  "sso_only": false,
  "sso_pkce": true,
  "sso_scopes": "email profile",
  "sso_signups_match_email": true,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.35.0

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

nginx-proxy-manager v2.13.4

Host/Server Operating System

Linux

Operating System Version

Devuan 6 VM running on Proxmox VE 9.1.2

Clients

Android, Browser Extension

Client Version

Chrome extension v2025.12.0, Android v2025.12.0

Steps To Reproduce

1. Update to latest docker build (sha256:a66735efe15d3a7ea63b5b3fe6913058756771349f6056e1be1ab7b4ef244b21)
2. Get logged out from every client

Expected Result

Not logged out.

Actual Result

Logged out.

Logs

[vaultwarden::auth][ERROR] Token is invalid
[vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Impossible to read refresh_token: Token is invalid

Screenshots or Videos

No response

Additional Context

No response

Originally created by @xJayMorex on GitHub (Dec 28, 2025). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/6610 ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.35.0 * Web-vault version: v2025.12.0 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: PostgreSQL * Database version: PostgreSQL 18.1 (Debian 18.1-1.pgdg13+2) on x86_64-pc-linux-gnu, compiled by gcc (Debian 14.2.0-19) 14.2.0, 64-bit * Uses config.json: false * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: false * Server/NTP Time Check: false * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": false, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_idle_timeout": 600, "database_max_conns": 10, "database_min_conns": 2, "database_timeout": 30, "database_url": "**********://**********************************************************************************************************************************************************************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "dns_prefer_ipv6": false, "domain": "*****://************", "domain_origin": "*****://************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "purge_incomplete_sso_auth": "0 20 0 * * *", "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": true, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "", "smtp_from_name": "***********", "smtp_host": null, "smtp_password": null, "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": null, "sso_allow_unknown_email_verification": false, "sso_audience_trusted": null, "sso_auth_only_not_session": false, "sso_authority": "", "sso_authorize_extra_params": "", "sso_callback_path": "*****://*****************************************", "sso_client_cache_expiration": 0, "sso_client_id": "", "sso_client_secret": "***", "sso_debug_tokens": false, "sso_enabled": false, "sso_master_password_policy": null, "sso_only": false, "sso_pkce": true, "sso_scopes": "email profile", "sso_signups_match_email": true, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version v1.35.0 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy nginx-proxy-manager v2.13.4 ### Host/Server Operating System Linux ### Operating System Version Devuan 6 VM running on Proxmox VE 9.1.2 ### Clients Android, Browser Extension ### Client Version Chrome extension v2025.12.0, Android v2025.12.0 ### Steps To Reproduce 1. Update to latest docker build (`sha256:a66735efe15d3a7ea63b5b3fe6913058756771349f6056e1be1ab7b4ef244b21`) 2. Get logged out from every client ### Expected Result Not logged out. ### Actual Result Logged out. ### Logs ```text [vaultwarden::auth][ERROR] Token is invalid [vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Impossible to read refresh_token: Token is invalid ``` ### Screenshots or Videos _No response_ ### Additional Context _No response_

GiteaMirror added the bug label 2026-04-23 07:08:29 -05:00

GiteaMirror closed this issue 2026-04-23 07:08:30 -05:00

GiteaMirror commented 2026-04-23 07:08:31 -05:00

Author

Owner

Copy Link

@stefan0xC commented on GitHub (Dec 28, 2025):

From what version did you update? Can you login again?

<!-- gh-comment-id:3694734981 --> @stefan0xC commented on GitHub (Dec 28, 2025): From what version did you update? Can you login again?

GiteaMirror commented 2026-04-23 07:08:32 -05:00

Author

Owner

Copy Link

@xJayMorex commented on GitHub (Dec 28, 2025):

Update was done by nickfedor/watchtower from image v1.34.3 84fd8a47f58d to image v1.35.0 a66735efe15d (always using latest tag).

I am able to log back in without any issues.

docker-compose.yml

  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: unless-stopped
    ports:
      - ${PORT:-8000}:80
    environment:
      - PUID=${USER:-1000}
      - PGID=${GROUP:-1000}
      - DOMAIN=${DOMAIN}
      - DATABASE_URL=postgresql://${DB_USER}:${DB_PASSWORD}@${DB_HOST}:${DB_PORT}/${DB_NAME}
      - ADMIN_TOKEN=${ADMIN_TOKEN}
      - WEBSOCKET_ENABLED=true
      - SIGNUPS_ALLOWED=true
    volumes:
      - ${STORAGE}/data:/data
    networks:
      - database

networks:
  database:
    name: ${DB_NETWORK}
    external: true

<!-- gh-comment-id:3694737234 --> @xJayMorex commented on GitHub (Dec 28, 2025): Update was done by `nickfedor/watchtower` from image v1.34.3 `84fd8a47f58d` to image v1.35.0 `a66735efe15d` (always using `latest` tag). I am able to log back in without any issues. <details><summary>docker-compose.yml</summary> ```services: vaultwarden: image: vaultwarden/server:latest container_name: vaultwarden restart: unless-stopped ports: - ${PORT:-8000}:80 environment: - PUID=${USER:-1000} - PGID=${GROUP:-1000} - DOMAIN=${DOMAIN} - DATABASE_URL=postgresql://${DB_USER}:${DB_PASSWORD}@${DB_HOST}:${DB_PORT}/${DB_NAME} - ADMIN_TOKEN=${ADMIN_TOKEN} - WEBSOCKET_ENABLED=true - SIGNUPS_ALLOWED=true volumes: - ${STORAGE}/data:/data networks: - database networks: database: name: ${DB_NETWORK} external: true ``` </details>

GiteaMirror commented 2026-04-23 07:08:35 -05:00

Author

Owner

Copy Link

@stijneikelboom commented on GitHub (Dec 28, 2025):

I have the same experience after updating from 1.34.3 to 1.35.0.

The MacOS app and Safari extension (2025.12.0) immediately showed a generic sync error and logged out right after. The iOS app (2025.12.0) kept working, but a sync or edit operation triggered the attached error.

I have not been able to collect more diagnostics yet, but can confirm logging back in resolves all issues. Has anything been changed with respect to the refresh_token in 1.35.0?

<!-- gh-comment-id:3694777818 --> @stijneikelboom commented on GitHub (Dec 28, 2025): I have the same experience after updating from `1.34.3` to `1.35.0`. The MacOS app and Safari extension (`2025.12.0`) immediately showed a generic sync error and logged out right after. The iOS app (`2025.12.0`) kept working, but a sync or edit operation triggered the attached error. <img src="https://github.com/user-attachments/assets/6b0bea24-9596-444e-8a65-22353fe9a9b2" width="500" /> I have not been able to collect more diagnostics yet, but can confirm logging back in resolves all issues. Has anything been changed with respect to the `refresh_token` in `1.35.0`?

GiteaMirror commented 2026-04-23 07:08:37 -05:00

Author

Owner

Copy Link

@bo0ohXae commented on GitHub (Dec 28, 2025):

Same thing happened to me, BUT I can not log back in anymore! Have also downgraded to 1.34.3 and that one doesn't work either. Will try restoring the db I guess.

<!-- gh-comment-id:3694788218 --> @bo0ohXae commented on GitHub (Dec 28, 2025): Same thing happened to me, BUT I can not log back in anymore! Have also downgraded to 1.34.3 and that one doesn't work either. Will try restoring the db I guess.

GiteaMirror commented 2026-04-23 07:08:38 -05:00

Author

Owner

Copy Link

@Greite commented on GitHub (Dec 28, 2025):

I have the same problem here. I've been able to log back on web, and chrome extension, but can't log back on the iPhone app. Just a generic error message pops up

<!-- gh-comment-id:3694796668 --> @Greite commented on GitHub (Dec 28, 2025): I have the same problem here. I've been able to log back on web, and chrome extension, but can't log back on the iPhone app. Just a generic error message pops up

GiteaMirror commented 2026-04-23 07:08:39 -05:00

Author

Owner

Copy Link

@bo0ohXae commented on GitHub (Dec 28, 2025):

Ahh, never mind! I could log back in once I found the typo that my browser decided to auto-complete into my email address.. lol

<!-- gh-comment-id:3694801171 --> @bo0ohXae commented on GitHub (Dec 28, 2025): Ahh, never mind! I could log back in once I found the typo that my browser decided to auto-complete into my email address.. lol

GiteaMirror commented 2026-04-23 07:08:40 -05:00

Author

Owner

Copy Link

@slanglade commented on GitHub (Dec 28, 2025):

Same here : after upgrading from v1.34.3 to 1.35.0, all token are considered as faulty

[2025-12-28 15:48:17.665][request][INFO] POST /identity/connect/token
[2025-12-28 15:48:17.665][vaultwarden::auth][ERROR] Token is invalid
[2025-12-28 15:48:17.665][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Impossible to read refresh_token: Token is invalid

This happens for every account existing on the local server.

<!-- gh-comment-id:3694804794 --> @slanglade commented on GitHub (Dec 28, 2025): Same here : after upgrading from v1.34.3 to 1.35.0, all token are considered as faulty [2025-12-28 15:48:17.665][request][INFO] POST /identity/connect/token [2025-12-28 15:48:17.665][vaultwarden::auth][ERROR] Token is invalid [2025-12-28 15:48:17.665][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Impossible to read refresh_token: Token is invalid This happens for every account existing on the local server.

GiteaMirror commented 2026-04-23 07:08:41 -05:00

Author

Owner

Copy Link

@Greite commented on GitHub (Dec 28, 2025):

I cleared all my sessions from Settings → Account, then logged back in and it worked.
The issue with the iPhone app not logging in was caused by CrowdSec: my device had been banned after several 401 login attempts.

<!-- gh-comment-id:3694815954 --> @Greite commented on GitHub (Dec 28, 2025): I cleared all my sessions from Settings → Account, then logged back in and it worked. The issue with the iPhone app not logging in was caused by CrowdSec: my device had been banned after several 401 login attempts.

GiteaMirror commented 2026-04-23 07:08:42 -05:00

Author

Owner

Copy Link

@LilSlippinJimmy commented on GitHub (Dec 28, 2025):

Same here, logged out of all devices for myself and other users.

<!-- gh-comment-id:3694844788 --> @LilSlippinJimmy commented on GitHub (Dec 28, 2025): Same here, logged out of all devices for myself and other users.

GiteaMirror commented 2026-04-23 07:08:43 -05:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Dec 28, 2025):

I have not experienced this my self at all.
Any logs during these logouts might help, but it will be hard to reproduce i think.

<!-- gh-comment-id:3694903413 --> @BlackDex commented on GitHub (Dec 28, 2025): I have not experienced this my self at all. Any logs during these logouts might help, but it will be hard to reproduce i think.

GiteaMirror commented 2026-04-23 07:08:44 -05:00

Author

Owner

Copy Link

@stijneikelboom commented on GitHub (Dec 28, 2025):

@BlackDex Adding to the log lines already provided by @slanglade, I see multiple sequences of these log lines in my Vaultwarden log file:

[2025-12-28 13:18:17.086][request][INFO] POST /identity/connect/token
[2025-12-28 13:18:17.086][vaultwarden::auth][ERROR] Token is invalid
[2025-12-28 13:18:17.086][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Impossible to read refresh_token: Token is invalid
[2025-12-28 13:18:17.086][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
[2025-12-28 13:18:17.127][request][INFO] GET /api/config
[2025-12-28 13:18:17.127][response][INFO] (config) GET /api/config => 200 OK

And the nginx access logs reflect just the two calls to /identity/connect/token and /api/config:

<ip> - - [28/Dec/2025:13:18:17 +0100] "POST /identity/connect/token HTTP/2.0" 401 480 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.2 Safari/605.1.15"
<ip> - - [28/Dec/2025:13:18:17 +0100] "GET /api/config HTTP/2.0" 200 604 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.2 Safari/605.1.15"

Downgrading from 1.35.0 to 1.34.3 produces similar issues, where logging out and in is needed to be able to properly sync again.

<!-- gh-comment-id:3694924062 --> @stijneikelboom commented on GitHub (Dec 28, 2025): @BlackDex Adding to the log lines already provided by @slanglade, I see multiple sequences of these log lines in my Vaultwarden log file: ``` [2025-12-28 13:18:17.086][request][INFO] POST /identity/connect/token [2025-12-28 13:18:17.086][vaultwarden::auth][ERROR] Token is invalid [2025-12-28 13:18:17.086][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Impossible to read refresh_token: Token is invalid [2025-12-28 13:18:17.086][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized [2025-12-28 13:18:17.127][request][INFO] GET /api/config [2025-12-28 13:18:17.127][response][INFO] (config) GET /api/config => 200 OK ``` And the nginx access logs reflect just the two calls to `/identity/connect/token` and `/api/config`: ``` <ip> - - [28/Dec/2025:13:18:17 +0100] "POST /identity/connect/token HTTP/2.0" 401 480 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.2 Safari/605.1.15" <ip> - - [28/Dec/2025:13:18:17 +0100] "GET /api/config HTTP/2.0" 200 604 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/26.2 Safari/605.1.15" ``` Downgrading from `1.35.0` to `1.34.3` produces similar issues, where logging out and in is needed to be able to properly sync again.

GiteaMirror commented 2026-04-23 07:08:45 -05:00

Author

Owner

Copy Link

@jeroenhabets commented on GitHub (Dec 28, 2025):

FWIW: My daughter had to actually logout using the menus on her iPhone 16, as just closing and restarting Bitwarden and logging in using Face-ID was not enough. Then it worked again, though.

<!-- gh-comment-id:3694994030 --> @jeroenhabets commented on GitHub (Dec 28, 2025): FWIW: My daughter had to actually logout using the menus on her iPhone 16, as just closing and restarting Bitwarden and logging in using Face-ID was not enough. Then it worked again, though.

GiteaMirror commented 2026-04-23 07:08:46 -05:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Dec 28, 2025):

I wonder if something is changed in the refresh tokens which could explain this. But then still strange i haven't noticed this my self.

And i can't remember other people who where using testing mentioned this either.

<!-- gh-comment-id:3695024892 --> @BlackDex commented on GitHub (Dec 28, 2025): I wonder if something is changed in the refresh tokens which could explain this. But then still strange i haven't noticed this my self. And i can't remember other people who where using testing mentioned this either.

GiteaMirror commented 2026-04-23 07:08:46 -05:00

Author

Owner

Copy Link

@hofbi commented on GitHub (Dec 28, 2025):

I also noticed that all devices were logged out. Additionally, I noticed that all client settings on Android devices were gone and back to the default values. Browser extension settings remained unchanged. Not sure if this is related.

<!-- gh-comment-id:3695034909 --> @hofbi commented on GitHub (Dec 28, 2025): I also noticed that all devices were logged out. Additionally, I noticed that all client settings on Android devices were gone and back to the default values. Browser extension settings remained unchanged. Not sure if this is related.

GiteaMirror commented 2026-04-23 07:08:47 -05:00

Author

Owner

Copy Link

@pamperer562580892423 commented on GitHub (Dec 28, 2025):

@BlackDex:

And i can't remember other people who where using testing mentioned this either.

It was mentioned before: https://github.com/dani-garcia/vaultwarden/issues/6561#issuecomment-3663103571

<!-- gh-comment-id:3695045010 --> @pamperer562580892423 commented on GitHub (Dec 28, 2025): @BlackDex: > And i can't remember other people who where using testing mentioned this either. It was mentioned before: https://github.com/dani-garcia/vaultwarden/issues/6561#issuecomment-3663103571

GiteaMirror commented 2026-04-23 07:08:48 -05:00

Author

Owner

Copy Link

@BlackDex commented on GitHub (Dec 28, 2025):

Overlooked that, but unfortunately one report. But Maybe it helps narrow down the change.

<!-- gh-comment-id:3695059490 --> @BlackDex commented on GitHub (Dec 28, 2025): Overlooked that, but unfortunately one report. But Maybe it helps narrow down the change.

GiteaMirror commented 2026-04-23 07:08:49 -05:00

Author

Owner

Copy Link

@luisbandalap commented on GitHub (Dec 28, 2025):

@BlackDex:

And i can't remember other people who where using testing mentioned this either.

It was mentioned before: #6561 (comment)

I was the one mentioning it but didn't raise a ticket as i didn't know it was expected or not.

Switched from :testing to :latest and I got unable to enter to my vaults from any app (web, android, web extension) with this showing on logs:

[2025-12-28 17:23:53.652][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK
[2025-12-28 17:23:53.685][request][INFO] POST /identity/connect/token
[2025-12-28 17:23:53.767][error][ERROR] Serde.
[CAUSE] Error("missing field `type_`", line: 1, column: 677)
[2025-12-28 17:23:53.768][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
[2025-12-28 17:24:09.845][request][INFO] GET /api/config
[2025-12-28 17:24:09.845][response][INFO] (config) GET /api/config => 200 OK

returning from :latest to :testing allows me to log in again

@BlackDex @stefan0xC :latest and :testing should be the same at this point, shouldn't they?

<!-- gh-comment-id:3695132619 --> @luisbandalap commented on GitHub (Dec 28, 2025): > [@BlackDex](https://github.com/BlackDex): > > > And i can't remember other people who where using testing mentioned this either. > > It was mentioned before: [#6561 (comment)](https://github.com/dani-garcia/vaultwarden/issues/6561#issuecomment-3663103571) I was the one mentioning it but didn't raise a ticket as i didn't know it was expected or not. Switched from :testing to :latest and I got unable to enter to my vaults from any app (web, android, web extension) with this showing on logs: ``` [2025-12-28 17:23:53.652][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK [2025-12-28 17:23:53.685][request][INFO] POST /identity/connect/token [2025-12-28 17:23:53.767][error][ERROR] Serde. [CAUSE] Error("missing field `type_`", line: 1, column: 677) [2025-12-28 17:23:53.768][response][INFO] (login) POST /identity/connect/token => 400 Bad Request [2025-12-28 17:24:09.845][request][INFO] GET /api/config [2025-12-28 17:24:09.845][response][INFO] (config) GET /api/config => 200 OK ``` returning from :latest to :testing allows me to log in again @BlackDex @stefan0xC :latest and :testing should be the same at this point, shouldn't they?

GiteaMirror commented 2026-04-23 07:08:49 -05:00

Author

Owner

Copy Link

@stefan0xC commented on GitHub (Dec 29, 2025):

Make sure you pull the latest image before switching and that it's image digest corresponds to the digest for your platform (e.g. on GHCR or Docker Hub).

:latest and :testing should be the same at this point, shouldn't they?

Almost but there has been a new commit since the latest release.

<!-- gh-comment-id:3695180331 --> @stefan0xC commented on GitHub (Dec 29, 2025): Make sure you pull the latest image before switching and that it's [image digest](https://docs.docker.com/dhi/core-concepts/digests/) corresponds to the digest for your platform (e.g. on [GHCR](https://github.com/dani-garcia/vaultwarden/pkgs/container/vaultwarden/624027538?tag=1.35.0) or [Docker Hub](https://hub.docker.com/layers/vaultwarden/server/1.35.0/images/sha256-233f2780b844daecb982bcb8209e5b2258eeb51e82829b6f479989ff9d73739b)). > :latest and :testing should be the same at this point, shouldn't they? Almost but there has been a new commit since the latest release. [](https://github.com/dani-garcia/vaultwarden/compare/1.35.0...main)

GiteaMirror commented 2026-04-23 07:08:50 -05:00

Author

Owner

Copy Link

@luisbandalap commented on GitHub (Dec 29, 2025):

Make sure you pull the latest image before switching and that it's image digest corresponds to the digest for your platform (e.g. on GHCR or Docker Hub).

:latest and :testing should be the same at this point, shouldn't they?

Almost but there has been a new commit since the latest release. [

It was my fault, docker compose used an old :latest tag. after pulling it now i can log again. thanks.

<!-- gh-comment-id:3695188404 --> @luisbandalap commented on GitHub (Dec 29, 2025): > Make sure you pull the latest image before switching and that it's [image digest](https://docs.docker.com/dhi/core-concepts/digests/) corresponds to the digest for your platform (e.g. on [GHCR](https://github.com/dani-garcia/vaultwarden/pkgs/container/vaultwarden/624027538?tag=1.35.0) or [Docker Hub](https://hub.docker.com/layers/vaultwarden/server/1.35.0/images/sha256-233f2780b844daecb982bcb8209e5b2258eeb51e82829b6f479989ff9d73739b)). > > > :latest and :testing should be the same at this point, shouldn't they? > > Almost but there has been a new commit since the latest release. [ It was my fault, docker compose used an old :latest tag. after pulling it now i can log again. thanks.

GiteaMirror commented 2026-04-23 07:08:51 -05:00

Author

Owner

Copy Link

@mzy2240 commented on GitHub (Dec 29, 2025):

Im having the same issue, downgrading to 1.34.3 still face the same issue.

<!-- gh-comment-id:3695356678 --> @mzy2240 commented on GitHub (Dec 29, 2025): Im having the same issue, downgrading to 1.34.3 still face the same issue.

GiteaMirror commented 2026-04-23 07:08:52 -05:00

Author

Owner

Copy Link

@ma-04 commented on GitHub (Dec 29, 2025):

Faced the same issue. For now, logging back in solved the issue.

<!-- gh-comment-id:3695411974 --> @ma-04 commented on GitHub (Dec 29, 2025): Faced the same issue. For now, logging back in solved the issue.

GiteaMirror commented 2026-04-23 07:08:53 -05:00

Author

Owner

Copy Link

@irfanhakim-as commented on GitHub (Dec 29, 2025):

Also facing this issue after upgrading from 1.34.3-alpine to 1.35.0-alpine. All previously logged in accounts/clients need to be logged out and log back in to actually be connected/synced. The main issue I'm seeing is that, on mobile clients at least, there isn't any indication that anything is wrong and that they have to manually log out and log back in.

<!-- gh-comment-id:3695427299 --> @irfanhakim-as commented on GitHub (Dec 29, 2025): Also facing this issue after upgrading from `1.34.3-alpine` to `1.35.0-alpine`. All previously logged in accounts/clients need to be logged out and log back in to **actually** be connected/synced. The main issue I'm seeing is that, on mobile clients at least, there isn't any _indication_ that anything is wrong and that they have to manually log out and log back in.

GiteaMirror commented 2026-04-23 07:08:53 -05:00

Author

Owner

Copy Link

@pamperer562580892423 commented on GitHub (Dec 29, 2025):

@mzy2240 : Does that mean you logged back in and are constantly getting logged out now?

<!-- gh-comment-id:3695432334 --> @pamperer562580892423 commented on GitHub (Dec 29, 2025): @mzy2240 : Does that mean you logged back in and are constantly getting logged out now?

GiteaMirror commented 2026-04-23 07:08:54 -05:00

Author

Owner

Copy Link

@lxw314 commented on GitHub (Dec 29, 2025):

I'm facing the same problem after upgrading from 1.34.3 to 1.35.0. Because I have 2FA enabled, I was locked out and couldn't log back in at all. Everything is back to normal now after I redeployed and restored from a backup.

<!-- gh-comment-id:3695708698 --> @lxw314 commented on GitHub (Dec 29, 2025): I'm facing the same problem after upgrading from 1.34.3 to 1.35.0. Because I have 2FA enabled, I was locked out and couldn't log back in at all. Everything is back to normal now after I redeployed and restored from a backup.

GiteaMirror commented 2026-04-23 07:08:54 -05:00

Author

Owner

Copy Link

@slanglade commented on GitHub (Dec 29, 2025):

Also facing this issue after upgrading from 1.34.3-alpine to 1.35.0-alpine.

Good point, I forgot to mention that I'm using the vaultwarden/server:latest image (with watchtower only to fire notification when there is a new version available)

<!-- gh-comment-id:3695753475 --> @slanglade commented on GitHub (Dec 29, 2025): > Also facing this issue after upgrading from `1.34.3-alpine` to `1.35.0-alpine`. Good point, I forgot to mention that I'm using the vaultwarden/server:latest image (with watchtower only to fire notification when there is a new version available)

GiteaMirror commented 2026-04-23 07:08:55 -05:00

Author

Owner

Copy Link

@slanglade commented on GitHub (Dec 29, 2025):

The main issue I'm seeing is that, on mobile clients at least, there isn't any indication that anything is wrong and that they have to manually log out and log back in.

Also a good point : it may be worth a separate issue in their respective repositories, but I also have the feeling that Bitwarden clients (both android or desktop firefox browser extension, in my case) lacks big red notification when they are not able to sync in the background. It only shows up for a manual sync.

<!-- gh-comment-id:3695761222 --> @slanglade commented on GitHub (Dec 29, 2025): > The main issue I'm seeing is that, on mobile clients at least, there isn't any _indication_ that anything is wrong and that they have to manually log out and log back in. Also a good point : it may be worth a separate issue in their respective repositories, but I also have the feeling that Bitwarden clients (both android or desktop firefox browser extension, in my case) lacks big red notification when they are not able to sync in the background. It only shows up for a manual sync.

GiteaMirror commented 2026-04-23 07:08:56 -05:00

Author

Owner

Copy Link

@mzy2240 commented on GitHub (Dec 29, 2025):

@mzy2240 : Does that mean you logged back in and are constantly getting logged out now?

Not able to log in back in any clients. I think 2FA keeps stopping me and somehow I am no longer able to receive the 2FA verification.

<!-- gh-comment-id:3696424313 --> @mzy2240 commented on GitHub (Dec 29, 2025): > [@mzy2240](https://github.com/mzy2240) : Does that mean you logged back in and are constantly getting logged out now? Not able to log in back in any clients. I think 2FA keeps stopping me and somehow I am no longer able to receive the 2FA verification.

GiteaMirror commented 2026-04-23 07:08:56 -05:00

Author

Owner

Copy Link

@mrz commented on GitHub (Dec 29, 2025):

Adding another data point: on my Vaultwarden instance there are two accounts / vaults, mine and my partner's. We both got logged out from our devices, however I was able to log back in on both my iOS and laptop devices, whereas my partner is unable to log back in on her Android device or laptop. She gets a generic username / password is incorrect error, but we are (fairly) confident that is not the case.

<!-- gh-comment-id:3696586008 --> @mrz commented on GitHub (Dec 29, 2025): Adding another data point: on my Vaultwarden instance there are two accounts / vaults, mine and my partner's. We both got logged out from our devices, however I was able to log back in on both my iOS and laptop devices, whereas my partner is unable to log back in on her Android device or laptop. She gets a generic username / password is incorrect error, but we are (fairly) confident that is not the case.

GiteaMirror commented 2026-04-23 07:08:57 -05:00

Author

Owner

Copy Link

@Vivic87 commented on GitHub (Dec 29, 2025):

'Failed to fetch' in the brave extension at 1.35. I was able to log out in the app, though.

<!-- gh-comment-id:3696599025 --> @Vivic87 commented on GitHub (Dec 29, 2025): 'Failed to fetch' in the brave extension at 1.35. I was able to log out in the app, though.

GiteaMirror commented 2026-04-23 07:08:57 -05:00

Author

Owner

Copy Link

@knedl1k commented on GitHub (Dec 29, 2025):

I faced the same issue coming from 1.34.3, alpine image. Clients (Firefox extension; Apple, Android apps) wouldn't sync with the server. Relogging fixed the issue.

<!-- gh-comment-id:3696912265 --> @knedl1k commented on GitHub (Dec 29, 2025): I faced the same issue coming from 1.34.3, alpine image. Clients (Firefox extension; Apple, Android apps) wouldn't sync with the server. Relogging fixed the issue.

GiteaMirror commented 2026-04-23 07:08:58 -05:00

Author

Owner

Copy Link

@ckoca commented on GitHub (Dec 29, 2025):

Same thing, I have 2 different vaultwarden deployments on different sites and multiple chrome addon and mobile clients connected to them. All of them was logged out at some point in the last 24 hours.

<!-- gh-comment-id:3697094573 --> @ckoca commented on GitHub (Dec 29, 2025): Same thing, I have 2 different vaultwarden deployments on different sites and multiple chrome addon and mobile clients connected to them. All of them was logged out at some point in the last 24 hours.

GiteaMirror commented 2026-04-23 07:08:58 -05:00

Author

Owner

Copy Link

@7Mattias commented on GitHub (Dec 29, 2025):

I hat the token problem on iOS, iPadOS and Safari Extensions. The macOS client was fine. I don't know why.

I always use :latest and I update frequently. In this case it must have been 1.34.3 -> 1.35.0.

<!-- gh-comment-id:3697212482 --> @7Mattias commented on GitHub (Dec 29, 2025): I hat the token problem on iOS, iPadOS and Safari Extensions. The macOS client was fine. I don't know why. I always use :latest and I update frequently. In this case it must have been 1.34.3 -> 1.35.0.

GiteaMirror commented 2026-04-23 07:08:59 -05:00

Author

Owner

Copy Link

@lukaskirner commented on GitHub (Dec 29, 2025):

Same here. Upgraded from 1.34.3 -> 1.35.0. All devices were logged out due to the following error in the logs of the server:

[2025-12-29 18:21:18.741][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
[2025-12-29 18:21:26.014][request][INFO] POST /identity/connect/token
[2025-12-29 18:21:26.015][vaultwarden::auth][ERROR] Token is invalid
[2025-12-29 18:21:26.016][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Impossible to read refresh_token: Token is invalid

<!-- gh-comment-id:3697217737 --> @lukaskirner commented on GitHub (Dec 29, 2025): Same here. Upgraded from 1.34.3 -> 1.35.0. All devices were logged out due to the following error in the logs of the server: ```log [2025-12-29 18:21:18.741][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized [2025-12-29 18:21:26.014][request][INFO] POST /identity/connect/token [2025-12-29 18:21:26.015][vaultwarden::auth][ERROR] Token is invalid [2025-12-29 18:21:26.016][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Impossible to read refresh_token: Token is invalid ```

GiteaMirror commented 2026-04-23 07:08:59 -05:00

Author

Owner

Copy Link

@7Mattias commented on GitHub (Dec 29, 2025):

Same log entries here for every device.

Slightly off topic I guess: Is there a way to "monitor" such issues in an easy effortless way? I noticed this by accident today because I tried to add a secure note and this was not working.

Thanks for some advice.

<!-- gh-comment-id:3697255416 --> @7Mattias commented on GitHub (Dec 29, 2025): Same log entries here for every device. Slightly off topic I guess: Is there a way to "monitor" such issues in an easy effortless way? I noticed this by accident today because I tried to add a secure note and this was not working. Thanks for some advice.

GiteaMirror commented 2026-04-23 07:08:59 -05:00

Author

Owner

Copy Link

@sjansen1 commented on GitHub (Dec 29, 2025):

Updated to 1.35 and got logged out on every desktop and browser client on all my machines (Linux and Windows). Secondary accounts with official Bitwarden servers also got logged out/disappeared.

<!-- gh-comment-id:3697263014 --> @sjansen1 commented on GitHub (Dec 29, 2025): Updated to 1.35 and got logged out on every desktop and browser client on all my machines (Linux and Windows). Secondary accounts with official Bitwarden servers also got logged out/disappeared.

GiteaMirror commented 2026-04-23 07:09:00 -05:00

Author

Owner

Copy Link

@dani-garcia commented on GitHub (Dec 29, 2025):

This should be fixed with https://github.com/dani-garcia/vaultwarden/pull/6629, which when failing to parse the refresh token as JWT, will proceed the old way.

<!-- gh-comment-id:3697588081 --> @dani-garcia commented on GitHub (Dec 29, 2025): This should be fixed with https://github.com/dani-garcia/vaultwarden/pull/6629, which when failing to parse the refresh token as JWT, will proceed the old way.

GiteaMirror commented 2026-04-23 07:09:00 -05:00

Author

Owner

Copy Link

@dani-garcia commented on GitHub (Dec 29, 2025):

This PR is merged now and this should be available in testing. I'd appreciate if anyone can test it to check if the issue is fixed. If so, the plan is to do a 1.35.1 release sometime soon.

<!-- gh-comment-id:3697639799 --> @dani-garcia commented on GitHub (Dec 29, 2025): This PR is merged now and this should be available in `testing`. I'd appreciate if anyone can test it to check if the issue is fixed. If so, the plan is to do a `1.35.1` release sometime soon.

GiteaMirror commented 2026-04-23 07:09:01 -05:00

Author

Owner

Copy Link

@Proxymiity commented on GitHub (Dec 29, 2025):

This PR is merged now and this should be available in testing. I'd appreciate if anyone can test it to check if the issue is fixed. If so, the plan is to do a 1.35.1 release sometime soon.

Just updated from 1.34.3 straight to 1.35.0-3e2cef7e (testing) and everything worked (tested on: Windows, Firefox and Android, all latest versions as of writing)

<!-- gh-comment-id:3697800929 --> @Proxymiity commented on GitHub (Dec 29, 2025): > This PR is merged now and this should be available in `testing`. I'd appreciate if anyone can test it to check if the issue is fixed. If so, the plan is to do a `1.35.1` release sometime soon. Just updated from 1.34.3 straight to 1.35.0-3e2cef7e (testing) and everything worked (tested on: Windows, Firefox and Android, all latest versions as of writing)

GiteaMirror commented 2026-04-23 07:09:02 -05:00

Author

Owner

Copy Link

@stijneikelboom commented on GitHub (Dec 30, 2025):

Updated from 1.35.0 to the recent testing (3e2cef7e), and tried on a machine with clients left untouched since running 1.34.3. Can confirm that the MacOS client and Chrome extension can still sync. The Safari extension had automatically logged out, so I haven't been able to test that.

<!-- gh-comment-id:3698387110 --> @stijneikelboom commented on GitHub (Dec 30, 2025): Updated from `1.35.0` to the recent `testing` (`3e2cef7e`), and tried on a machine with clients left untouched since running `1.34.3`. Can confirm that the MacOS client and Chrome extension can still sync. The Safari extension had automatically logged out, so I haven't been able to test that.

GiteaMirror commented 2026-04-23 07:09:04 -05:00

Author

Owner

Copy Link

@dani-garcia commented on GitHub (Dec 30, 2025):

Version 1.35.1 was just released now with the fix for this, let us know if you hit any more problems

<!-- gh-comment-id:3699492217 --> @dani-garcia commented on GitHub (Dec 30, 2025): Version `1.35.1` was just released now with the fix for this, let us know if you hit any more problems

GiteaMirror commented 2026-04-23 07:09:05 -05:00

Author

Owner

Copy Link

@BJReplay commented on GitHub (Dec 30, 2025):

I got this (failed to fetch) when I upgraded my test instance to 1.35.0 (as well as testing builds - which I set up on a test server).

I assumed, incorrectly, that it was a failure in my backup / restore process using ttionya/vaultwarden-backup - I have my phone logged into the restore system as a watchdog to ensure that daily restores just work (they pretty much usually do).

<!-- gh-comment-id:3700632152 --> @BJReplay commented on GitHub (Dec 30, 2025): I got this (failed to fetch) when I upgraded my test instance to 1.35.0 (as well as testing builds - which I set up on a test server). I assumed, incorrectly, that it was a failure in my backup / restore process using ttionya/vaultwarden-backup - I have my phone logged into the restore system as a watchdog to ensure that daily restores just work (they pretty much usually do).

GiteaMirror commented 2026-04-23 07:09:05 -05:00

Author

Owner

Copy Link

@TheSander562 commented on GitHub (Dec 31, 2025):

Still getting this with Authelia (including the offline_access scope) with version 1.35.1.

Not sure how i can help debugging where this comes from.

[2025-12-31 13:19:05.944][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."), error_uri: None })
[2025-12-31 13:19:05.944][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."), error_uri: None })
[2025-12-31 13:22:39.773][vaultwarden::auth][ERROR] Token is invalid
[2025-12-31 13:22:39.773][vaultwarden::auth][ERROR] Failed to decode 172.16.4.16 refresh_token: ZGKG9Rb-BtLJtKT01MQdv74l8xjUJ06fVzYZNel_sS2S-lCROCXurEAUiSCQm7pOpQscW3aHCoJY25x0ZU6n6Q==: Token is invalid
[2025-12-31 13:22:39.795][vaultwarden::auth][ERROR] SSO is now required, Login again
[2025-12-31 13:22:39.796][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: SSO is now required, Login again

<!-- gh-comment-id:3702177030 --> @TheSander562 commented on GitHub (Dec 31, 2025): Still getting this with Authelia (including the offline_access scope) with version 1.35.1. Not sure how i can help debugging where this comes from. ``` [2025-12-31 13:19:05.944][vaultwarden::sso_client][ERROR] Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."), error_uri: None }) [2025-12-31 13:19:05.944][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Request to exchange_refresh_token endpoint failed: ServerResponse(StandardErrorResponse { error: invalid_grant, error_description: Some("The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."), error_uri: None }) [2025-12-31 13:22:39.773][vaultwarden::auth][ERROR] Token is invalid [2025-12-31 13:22:39.773][vaultwarden::auth][ERROR] Failed to decode 172.16.4.16 refresh_token: ZGKG9Rb-BtLJtKT01MQdv74l8xjUJ06fVzYZNel_sS2S-lCROCXurEAUiSCQm7pOpQscW3aHCoJY25x0ZU6n6Q==: Token is invalid [2025-12-31 13:22:39.795][vaultwarden::auth][ERROR] SSO is now required, Login again [2025-12-31 13:22:39.796][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: SSO is now required, Login again ```

GiteaMirror commented 2026-04-23 07:09:06 -05:00

Author

Owner

Copy Link

@eishockey commented on GitHub (Jan 1, 2026):

I have the same problem without SSO with Verson 1.35.1 with Windows Client Version 2025.12.0:

[2026-01-01 15:32:00.064][vaultwarden::api::notifications][INFO] Closing WS connection from 192.168.13.113

[2026-01-01 15:32:02.340][request][INFO] POST /identity/connect/token
[2026-01-01 15:32:02.341][vaultwarden::auth][ERROR] Token is invalid
[2026-01-01 15:32:02.341][vaultwarden::auth][ERROR] Failed to decode 192.168.13.113 refresh_token: rI....asAw==: Token is invalid
[2026-01-01 15:32:02.343][vaultwarden::auth][ERROR] Invalid refresh token
[2026-01-01 15:32:02.343][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Invalid refresh token
[2026-01-01 15:32:02.343][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
[2026-01-01 15:32:03.484][request][INFO] GET /api/devices/knowndevice
[2026-01-01 15:32:03.487][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
[2026-01-01 15:32:04.375][request][INFO] GET /api/devices/knowndevice
[2026-01-01 15:32:04.378][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
[2026-01-01 15:32:07.690][request][INFO] POST /identity/accounts/prelogin
[2026-01-01 15:32:07.692][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK
[2026-01-01 15:32:08.030][request][INFO] POST /identity/connect/token
[2026-01-01 15:32:08.170][vaultwarden::api::identity][INFO] User XXXXXXXXXX logged in successfully. IP: 192.168.13.113

After every App restart I have to login again - and when I hit "sync vault" the sync fails and I have to relogin. But changes are synced to the instance.

I already killed all sessions, deleted the Bitwarden directory under AppData\Roaming on my PC and reinstalled the client - no changes.

My Android clients seems to have no issues.

<!-- gh-comment-id:3703845865 --> @eishockey commented on GitHub (Jan 1, 2026): I have the same problem without SSO with Verson 1.35.1 with Windows Client Version 2025.12.0: ``` [2026-01-01 15:32:00.064][vaultwarden::api::notifications][INFO] Closing WS connection from 192.168.13.113 [2026-01-01 15:32:02.340][request][INFO] POST /identity/connect/token [2026-01-01 15:32:02.341][vaultwarden::auth][ERROR] Token is invalid [2026-01-01 15:32:02.341][vaultwarden::auth][ERROR] Failed to decode 192.168.13.113 refresh_token: rI....asAw==: Token is invalid [2026-01-01 15:32:02.343][vaultwarden::auth][ERROR] Invalid refresh token [2026-01-01 15:32:02.343][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Invalid refresh token [2026-01-01 15:32:02.343][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized [2026-01-01 15:32:03.484][request][INFO] GET /api/devices/knowndevice [2026-01-01 15:32:03.487][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK [2026-01-01 15:32:04.375][request][INFO] GET /api/devices/knowndevice [2026-01-01 15:32:04.378][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK [2026-01-01 15:32:07.690][request][INFO] POST /identity/accounts/prelogin [2026-01-01 15:32:07.692][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK [2026-01-01 15:32:08.030][request][INFO] POST /identity/connect/token [2026-01-01 15:32:08.170][vaultwarden::api::identity][INFO] User XXXXXXXXXX logged in successfully. IP: 192.168.13.113 ``` After every App restart I have to login again - and when I hit "sync vault" the sync fails and I have to relogin. But changes are synced to the instance. I already killed all sessions, deleted the Bitwarden directory under AppData\Roaming on my PC and reinstalled the client - no changes. My Android clients seems to have no issues.

GiteaMirror commented 2026-04-23 07:09:06 -05:00

Author

Owner

Copy Link

@Ljzd-PRO commented on GitHub (Jan 19, 2026):

1.35.2 still (PC, Browser, iOS)

[2026-01-19 06:03:29.221][request][INFO] POST /api/ciphers
[2026-01-19 06:03:29.221][vaultwarden::auth][ERROR] Error decoding JWT: Error(InvalidSignature)
[2026-01-19 06:03:29.221][auth][ERROR] Unauthorized Error: Invalid claim
[2026-01-19 06:03:29.221][vaultwarden::api::core::ciphers::_][WARN] Request guard `Headers` failed: "Invalid claim".
[2026-01-19 06:03:29.221][response][INFO] (post_ciphers) POST /api/ciphers => 401 Unauthorized
[2026-01-19 06:03:29.580][request][INFO] POST /identity/connect/token
[2026-01-19 06:03:29.662][vaultwarden::auth][ERROR] Error decoding JWT: Error(InvalidSignature)
[2026-01-19 06:03:29.662][vaultwarden::auth][ERROR] Failed to decode 10.xxx.92.2 refresh_token: eyJ0e...zSWA: Error decoding JWT: Error(InvalidSignature)
[2026-01-19 06:03:29.825][vaultwarden::auth][ERROR] Invalid refresh token
[2026-01-19 06:03:29.826][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Invalid refresh token
[2026-01-19 06:03:29.826][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized

<!-- gh-comment-id:3766593419 --> @Ljzd-PRO commented on GitHub (Jan 19, 2026): 1.35.2 still (PC, Browser, iOS) ``` [2026-01-19 06:03:29.221][request][INFO] POST /api/ciphers [2026-01-19 06:03:29.221][vaultwarden::auth][ERROR] Error decoding JWT: Error(InvalidSignature) [2026-01-19 06:03:29.221][auth][ERROR] Unauthorized Error: Invalid claim [2026-01-19 06:03:29.221][vaultwarden::api::core::ciphers::_][WARN] Request guard `Headers` failed: "Invalid claim". [2026-01-19 06:03:29.221][response][INFO] (post_ciphers) POST /api/ciphers => 401 Unauthorized [2026-01-19 06:03:29.580][request][INFO] POST /identity/connect/token [2026-01-19 06:03:29.662][vaultwarden::auth][ERROR] Error decoding JWT: Error(InvalidSignature) [2026-01-19 06:03:29.662][vaultwarden::auth][ERROR] Failed to decode 10.xxx.92.2 refresh_token: eyJ0e...zSWA: Error decoding JWT: Error(InvalidSignature) [2026-01-19 06:03:29.825][vaultwarden::auth][ERROR] Invalid refresh token [2026-01-19 06:03:29.826][vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Invalid refresh token [2026-01-19 06:03:29.826][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized ```

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

revert-7033-patch-1

cached-config-operations

test_dylint

1.36.0

1.35.8

1.35.7

1.35.6

1.35.5

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

wontfix

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vaultwarden#15270