new entries not saved due to invalid Refresh token #825

New Issue

MrUnknownDE · 2026-04-05T23:51:44+02:00

MrUnknownDE commented

2026-04-05 23:51:44 +02:00

Originally created by @JRehkemper on 11/24/2024

Vaultwarden Support String

Your environment (Generated via diagnostics page)

Vaultwarden version: v1.32.5
Web-vault version: v2024.6.2c
OS/Arch: linux/x86_64
Running within a container: true (Base: Debian)
Environment settings overridden: false
Uses a reverse proxy: true
IP Header check: true (X-Real-IP)
Internet access: true
Internet access via a proxy: false
DNS Check: true
Browser/Server Time Check: true
Server/NTP Time Check: true
Domain Configuration Check: true
HTTPS Check: true
Database type: SQLite
Database version: 3.46.0
Clients used:
Reverse proxy and version:
Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*************************",
  "domain_origin": "*****://*************************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "********************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "**************",
  "smtp_password": "***",
  "smtp_port": 465,
  "smtp_security": "force_tls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "********************",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

1.32.5

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

Traefik 3.2.1

Host/Server Operating System

Linux

Operating System Version

AlmaLinux 9.4

Clients

Web Vault, Desktop, Android, iOS

Client Version

Brave 1.73.91

Steps To Reproduce

Open Vaultwarden App or Web
Create new Entry and Save

Expected Result

When you get the green "saved"-popup it should be saved to your vault.

Actual Result

You get a green "saved"-popup but the entry is not present if I resync the vault, check on a different device or log back in again.

Logs

vaultwarden  | [2024-11-24 09:27:02.049][request][INFO] POST /api/ciphers
vaultwarden  | [2024-11-24 09:27:02.049][vaultwarden::auth][ERROR] Error decoding JWT
vaultwarden  | [2024-11-24 09:27:02.049][auth][ERROR] Unauthorized Error: Invalid claim
vaultwarden  | [2024-11-24 09:27:02.049][vaultwarden::api::core::ciphers::_][WARN] Request guard `Headers` failed: "Invalid claim".
vaultwarden  | [2024-11-24 09:27:02.049][response][INFO] (post_ciphers) POST /api/ciphers => 401 Unauthorized
vaultwarden  | [2024-11-24 09:27:02.060][request][INFO] POST /identity/connect/token
vaultwarden  | [2024-11-24 09:27:02.060][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
vaultwarden  | [2024-11-24 09:27:08.440][request][INFO] GET /api/sync
vaultwarden  | [2024-11-24 09:27:08.440][vaultwarden::auth][ERROR] Error decoding JWT
vaultwarden  | [2024-11-24 09:27:08.440][auth][ERROR] Unauthorized Error: Invalid claim
vaultwarden  | [2024-11-24 09:27:08.440][vaultwarden::api::core::ciphers::_][WARN] Request guard `Headers` failed: "Invalid claim".
vaultwarden  | [2024-11-24 09:27:08.440][response][INFO] (sync) GET /api/sync?<data..> => 401 Unauthorized
vaultwarden  | [2024-11-24 09:27:08.454][request][INFO] POST /identity/connect/token
vaultwarden  | [2024-11-24 09:27:08.454][response][INFO] (login) POST /identity/connect/token => 400 Bad Request

Screenshots or Videos

Additional Context

Hello,
I get sporadic errors with invalid refresh token on multiple devices. The frustrating thing is, sometimes you can open the app and everything looks fine and if you create a new entry, it will tell you everything is ok. You only notice the invalid refresh token if you want to login again. Usually this can be fixed by completely logging out and in again, but the newly created password isn't saved anywhere because of the invalid refresh token.
I tried the webinterface and clients for Android, IOS, WIndows and Linux and all have the same problem.
I suspected an database corruption and created a new instance of vaultwarden. But after a reimport of the reimport of the vault the problem persists.
Any ideas how to troubleshoot this issue is appreciated.

*Originally created by @JRehkemper on 11/24/2024* ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.32.5 * Web-vault version: v2024.6.2c * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Environment settings overridden: false * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Database type: SQLite * Database version: 3.46.0 * Clients used: * Reverse proxy and version: * Other relevant information: ### Config (Generated via diagnostics page) <details><summary>Show Running Config</summary> **Environment settings which are overridden:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://*************************", "domain_origin": "*****://*************************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "********************", "smtp_from_name": "Vaultwarden", "smtp_host": "**************", "smtp_password": "***", "smtp_port": 465, "smtp_security": "force_tls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "********************", "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version 1.32.5 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy Traefik 3.2.1 ### Host/Server Operating System Linux ### Operating System Version AlmaLinux 9.4 ### Clients Web Vault, Desktop, Android, iOS ### Client Version Brave 1.73.91 ### Steps To Reproduce - Open Vaultwarden App or Web - Create new Entry and Save ### Expected Result When you get the green "saved"-popup it should be saved to your vault. ### Actual Result You get a green "saved"-popup but the entry is not present if I resync the vault, check on a different device or log back in again. ### Logs ```text vaultwarden | [2024-11-24 09:27:02.049][request][INFO] POST /api/ciphers vaultwarden | [2024-11-24 09:27:02.049][vaultwarden::auth][ERROR] Error decoding JWT vaultwarden | [2024-11-24 09:27:02.049][auth][ERROR] Unauthorized Error: Invalid claim vaultwarden | [2024-11-24 09:27:02.049][vaultwarden::api::core::ciphers::_][WARN] Request guard `Headers` failed: "Invalid claim". vaultwarden | [2024-11-24 09:27:02.049][response][INFO] (post_ciphers) POST /api/ciphers => 401 Unauthorized vaultwarden | [2024-11-24 09:27:02.060][request][INFO] POST /identity/connect/token vaultwarden | [2024-11-24 09:27:02.060][response][INFO] (login) POST /identity/connect/token => 400 Bad Request vaultwarden | [2024-11-24 09:27:08.440][request][INFO] GET /api/sync vaultwarden | [2024-11-24 09:27:08.440][vaultwarden::auth][ERROR] Error decoding JWT vaultwarden | [2024-11-24 09:27:08.440][auth][ERROR] Unauthorized Error: Invalid claim vaultwarden | [2024-11-24 09:27:08.440][vaultwarden::api::core::ciphers::_][WARN] Request guard `Headers` failed: "Invalid claim". vaultwarden | [2024-11-24 09:27:08.440][response][INFO] (sync) GET /api/sync?<data..> => 401 Unauthorized vaultwarden | [2024-11-24 09:27:08.454][request][INFO] POST /identity/connect/token vaultwarden | [2024-11-24 09:27:08.454][response][INFO] (login) POST /identity/connect/token => 400 Bad Request ``` ### Screenshots or Videos ![Screenshot 2024-11-24 110854](https://github.com/user-attachments/assets/9daff50b-aa7a-417d-be73-48fd89a2c0bc) ### Additional Context Hello, I get sporadic errors with invalid refresh token on multiple devices. The frustrating thing is, sometimes you can open the app and everything looks fine and if you create a new entry, it will tell you everything is ok. You only notice the invalid refresh token if you want to login again. Usually this can be fixed by completely logging out and in again, but the newly created password isn't saved anywhere because of the invalid refresh token. I tried the webinterface and clients for Android, IOS, WIndows and Linux and all have the same problem. I suspected an database corruption and created a new instance of vaultwarden. But after a reimport of the reimport of the vault the problem persists. Any ideas how to troubleshoot this issue is appreciated.

MrUnknownDE closed this issue

2026-04-05 23:51:44 +02:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#825