mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2026-07-17 17:32:27 -05:00
[GH-ISSUE #7160] Unable to refresh login credentials: Invalid refresh token #30123
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @fourass on GitHub (Apr 29, 2026).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/7160
Prerequisites
Vaultwarden Support String
Your environment (Generated via diagnostics page)
Config & Details (Generated via diagnostics page)
Show Config & Details
Failed HTTP Checks:
Config:
Vaultwarden Build Version
v1.35.6
Deployment method
Official Container Image
Custom deployment method
No response
Reverse Proxy
nginx v1.22.1
Host/Server Operating System
Linux
Operating System Version
No response
Clients
Browser Extension
Client Version
2026.1.0
Steps To Reproduce
At the startup of the docker container, I'm having this error
[vaultwarden::auth][ERROR] Error decoding JWT: Error(InvalidSignature)
[vaultwarden::auth][ERROR] Failed to decode [ALB IP] refresh_token: 'my_refresh_token:
Error decoding JWT: Error(InvalidSignature)
[vaultwarden::auth][ERROR] Invalid refresh token
[vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Invalid refresh token
[2026-04-29 10:21:16.042][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
TO add some context, we were having this before and also users (using both Desktop and Web extension) were not able to save their changes
So we backend the rsa key in an EFS to keep the same RSA and that fixed the client not being able to save problem, but apparently didn't fix the Invalid refresh token issue ..
-rw-r--r-- 1 root root 1675 Mar 17 11:06 rsa_key.pem (I can see that we get the old rsa_key)
So client side the problem is saved, but my container is unhealthy..
Expected Result
The refresh token should be valid, unless I'm missing something, somewhere
Actual Result
[vaultwarden::auth][ERROR] Error decoding JWT: Error(InvalidSignature)
[vaultwarden::auth][ERROR] Failed to decode [ALB IP] refresh_token: 'my_refresh_token:
Error decoding JWT: Error(InvalidSignature)
[vaultwarden::auth][ERROR] Invalid refresh token
[vaultwarden::api::identity][ERROR] Unable to refresh login credentials: Invalid refresh token
[2026-04-29 10:21:16.042][response][INFO] (login) POST /identity/connect/token => 401 Unauthorized
Logs
Screenshots or Videos
No response
Additional Context
No response
@BlackDex commented on GitHub (Apr 29, 2026):
Update to the latest version of Vaultwarden which has this fixed already via #7105