Problem when using the API #480

New Issue

MrUnknownDE · 2026-04-05T21:27:49+02:00

MrUnknownDE commented

2026-04-05 21:27:49 +02:00

Originally created by @alexppg on 7/10/2025

Vaultwarden Support String

Your environment (Generated via diagnostics page)

Vaultwarden version: v1.34.1
Web-vault version: v2025.5.0
OS/Arch: linux/x86_64
Running within a container: true (Base: Debian)
Database type: PostgreSQL
Database version: PostgreSQL 14.17 on x86_64-pc-linux-gnu, compiled by Debian clang version 12.0.1, 64-bit
Uses config.json: false
Uses a reverse proxy: true
IP Header check: true (X-Real-IP)
Internet access: true
Internet access via a proxy: false
DNS Check: true
Browser/Server Time Check: true
Server/NTP Time Check: true
Domain Configuration Check: true
HTTPS Check: true
Websocket Check: true
HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "**********://*************************************************************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://****************************************************************",
  "domain_origin": "*****://****************************************************************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": false,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": false,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "DEBUG",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "***",
  "org_events_enabled": false,
  "org_groups_enabled": true,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": false,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": "Login",
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "********************************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "**************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "***********************************************",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.34.1

Deployment method

Other method

Custom deployment method

I'm using the latest docker image, v1.34.1, in GKE.

Reverse Proxy

Kubernetes Ingress Nginx

Host/Server Operating System

Linux

Operating System Version

No response

Clients

Web Vault

Client Version

No response

Steps To Reproduce

Log in the API using the endpoint /identity/connect/token
Get the token
Try to use different endpoints. i.e:

VW_TOKEN=$(curl -s -X POST '$VW_URL/identity/connect/token' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=client_credentials&scope=api.organization&client_id=organization.xxxx&client_secret=xxx&device_identifier=import_script&device_name=import_script&device_type=script' | jq -r '.access_token')
curl -s -X GET "$VW_URL/api/sync" -H 'Content-Type: application/json; charset=utf-8' -H "Accept: */*" -H "Authorization: Bearer $VW_TOKEN"
curl -s -X GET "$VW_URL/api/organizations/xxx/collections" -H 'Content-Type: application/json; charset=utf-8' -H "Accept: */*" -H "Authorization: Bearer $VW_TOKEN"
curl -s -X GET "$VW_URL/api/organizations/xxx/users" -H 'Content-Type: application/json; charset=utf-8' -H "Accept: */*" -H "Authorization: Bearer $VW_TOKEN"

Expected Result

Correctly using the API.

Actual Result

In all cases, the response is:

    <div role="main" align="center">
        <h1>401: Unauthorized</h1>
        <p>The request requires user authentication.</p>
        <hr />
    </div>

Logs

[2025-07-10 08:07:17.380][request][INFO] GET /api/organizations/xxxx/users
[2025-07-10 08:07:17.380][vaultwarden::auth][ERROR] Error decoding JWT
[2025-07-10 08:07:17.380][auth][ERROR] Unauthorized Error: Invalid claim
[2025-07-10 08:07:17.380][vaultwarden::api::core::organizations::_][WARN] Request guard `ManagerHeadersLoose` failed: "Invalid claim".
[2025-07-10 08:07:17.380][rocket::server::_][WARN] No 401 catcher registered. Using Rocket default.
[2025-07-10 08:07:17.380][response][INFO] (get_members) GET /api/organizations/<org_id>/users?<data..> => 401 Unauthorized

Screenshots or Videos

No response

Additional Context

The token seems to be correct, when using a random one it fails whith a different error, saying the token is not valid.
Also, I'm able to see the information I'm requesting via API using the web interface, so it would be weird if it were a permissions issue.
I'm using GKE, but I'm only using one pod.
I've tried recreating the rsa key, checked the time in the server was synced, and probably something more I'm forgetting.

If you can point me in the right direction, I'd appreciate it. Thanks!

*Originally created by @alexppg on 7/10/2025* ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.34.1 * Web-vault version: v2025.5.0 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: PostgreSQL * Database version: PostgreSQL 14.17 on x86_64-pc-linux-gnu, compiled by Debian clang version 12.0.1, 64-bit * Uses config.json: false * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "**********://*************************************************************************************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://****************************************************************", "domain_origin": "*****://****************************************************************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": false, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": false, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "DEBUG", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "***", "org_events_enabled": false, "org_groups_enabled": true, "password_hints_allowed": true, "password_iterations": 600000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": false, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": "Login", "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "********************************", "smtp_from_name": "Vaultwarden", "smtp_host": "**************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "***********************************************", "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version v1.34.1 ### Deployment method Other method ### Custom deployment method I'm using the latest docker image, v1.34.1, in GKE. ### Reverse Proxy Kubernetes Ingress Nginx ### Host/Server Operating System Linux ### Operating System Version _No response_ ### Clients Web Vault ### Client Version _No response_ ### Steps To Reproduce 1. Log in the API using the endpoint `/identity/connect/token` 2. Get the token 3. Try to use different endpoints. i.e: ``` VW_TOKEN=$(curl -s -X POST '$VW_URL/identity/connect/token' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=client_credentials&scope=api.organization&client_id=organization.xxxx&client_secret=xxx&device_identifier=import_script&device_name=import_script&device_type=script' | jq -r '.access_token') curl -s -X GET "$VW_URL/api/sync" -H 'Content-Type: application/json; charset=utf-8' -H "Accept: */*" -H "Authorization: Bearer $VW_TOKEN" curl -s -X GET "$VW_URL/api/organizations/xxx/collections" -H 'Content-Type: application/json; charset=utf-8' -H "Accept: */*" -H "Authorization: Bearer $VW_TOKEN" curl -s -X GET "$VW_URL/api/organizations/xxx/users" -H 'Content-Type: application/json; charset=utf-8' -H "Accept: */*" -H "Authorization: Bearer $VW_TOKEN" ``` ### Expected Result Correctly using the API. ### Actual Result In all cases, the response is: ``` <div role="main" align="center"> <h1>401: Unauthorized</h1> <p>The request requires user authentication.</p> <hr /> </div> ``` ### Logs ```text [2025-07-10 08:07:17.380][request][INFO] GET /api/organizations/xxxx/users [2025-07-10 08:07:17.380][vaultwarden::auth][ERROR] Error decoding JWT [2025-07-10 08:07:17.380][auth][ERROR] Unauthorized Error: Invalid claim [2025-07-10 08:07:17.380][vaultwarden::api::core::organizations::_][WARN] Request guard `ManagerHeadersLoose` failed: "Invalid claim". [2025-07-10 08:07:17.380][rocket::server::_][WARN] No 401 catcher registered. Using Rocket default. [2025-07-10 08:07:17.380][response][INFO] (get_members) GET /api/organizations/<org_id>/users?<data..> => 401 Unauthorized ``` ### Screenshots or Videos _No response_ ### Additional Context 1. The token seems to be correct, when using a random one it fails whith a different error, saying the token is not valid. 2. Also, I'm able to see the information I'm requesting via API using the web interface, so it would be weird if it were a permissions issue. 3. I'm using GKE, but I'm only using one pod. 4. I've tried recreating the rsa key, checked the time in the server was synced, and probably something more I'm forgetting. If you can point me in the right direction, I'd appreciate it. Thanks!

MrUnknownDE closed this issue

2026-04-05 21:27:49 +02:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#480