[GH-ISSUE #5227] new entries not saved due to invalid Refresh token #2098

New issue

Closed

opened 2026-03-03 02:15:18 +03:00 by kerem · 3 comments

kerem commented 2026-03-03 02:15:18 +03:00

Owner

Copy link

Originally created by @JRehkemper on GitHub (Nov 24, 2024).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/5227

Vaultwarden Support String

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.32.5
• Web-vault version: v2024.6.2c
• OS/Arch: linux/x86_64
• Running within a container: true (Base: Debian)
• Environment settings overridden: false
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: SQLite
• Database version: 3.46.0
• Clients used:
• Reverse proxy and version:
• Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*************************",
  "domain_origin": "*****://*************************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "********************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "**************",
  "smtp_password": "***",
  "smtp_port": 465,
  "smtp_security": "force_tls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "********************",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

1.32.5

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

Traefik 3.2.1

Host/Server Operating System

Linux

Operating System Version

AlmaLinux 9.4

Clients

Web Vault, Desktop, Android, iOS

Client Version

Brave 1.73.91

Steps To Reproduce

• Open Vaultwarden App or Web
• Create new Entry and Save

Expected Result

When you get the green "saved"-popup it should be saved to your vault.

Actual Result

You get a green "saved"-popup but the entry is not present if I resync the vault, check on a different device or log back in again.

Logs

vaultwarden  | [2024-11-24 09:27:02.049][request][INFO] POST /api/ciphers
vaultwarden  | [2024-11-24 09:27:02.049][vaultwarden::auth][ERROR] Error decoding JWT
vaultwarden  | [2024-11-24 09:27:02.049][auth][ERROR] Unauthorized Error: Invalid claim
vaultwarden  | [2024-11-24 09:27:02.049][vaultwarden::api::core::ciphers::_][WARN] Request guard `Headers` failed: "Invalid claim".
vaultwarden  | [2024-11-24 09:27:02.049][response][INFO] (post_ciphers) POST /api/ciphers => 401 Unauthorized
vaultwarden  | [2024-11-24 09:27:02.060][request][INFO] POST /identity/connect/token
vaultwarden  | [2024-11-24 09:27:02.060][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
vaultwarden  | [2024-11-24 09:27:08.440][request][INFO] GET /api/sync
vaultwarden  | [2024-11-24 09:27:08.440][vaultwarden::auth][ERROR] Error decoding JWT
vaultwarden  | [2024-11-24 09:27:08.440][auth][ERROR] Unauthorized Error: Invalid claim
vaultwarden  | [2024-11-24 09:27:08.440][vaultwarden::api::core::ciphers::_][WARN] Request guard `Headers` failed: "Invalid claim".
vaultwarden  | [2024-11-24 09:27:08.440][response][INFO] (sync) GET /api/sync?<data..> => 401 Unauthorized
vaultwarden  | [2024-11-24 09:27:08.454][request][INFO] POST /identity/connect/token
vaultwarden  | [2024-11-24 09:27:08.454][response][INFO] (login) POST /identity/connect/token => 400 Bad Request

Screenshots or Videos

Additional Context

Hello,
I get sporadic errors with invalid refresh token on multiple devices. The frustrating thing is, sometimes you can open the app and everything looks fine and if you create a new entry, it will tell you everything is ok. You only notice the invalid refresh token if you want to login again. Usually this can be fixed by completely logging out and in again, but the newly created password isn't saved anywhere because of the invalid refresh token.
I tried the webinterface and clients for Android, IOS, WIndows and Linux and all have the same problem.
I suspected an database corruption and created a new instance of vaultwarden. But after a reimport of the reimport of the vault the problem persists.
Any ideas how to troubleshoot this issue is appreciated.

Originally created by @JRehkemper on GitHub (Nov 24, 2024). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/5227 ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.32.5 * Web-vault version: v2024.6.2c * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Environment settings overridden: false * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Database type: SQLite * Database version: 3.46.0 * Clients used: * Reverse proxy and version: * Other relevant information: ### Config (Generated via diagnostics page) <details><summary>Show Running Config</summary> **Environment settings which are overridden:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://*************************", "domain_origin": "*****://*************************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "fido2-vault-credentials", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "********************", "smtp_from_name": "Vaultwarden", "smtp_host": "**************", "smtp_password": "***", "smtp_port": 465, "smtp_security": "force_tls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "********************", "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version 1.32.5 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy Traefik 3.2.1 ### Host/Server Operating System Linux ### Operating System Version AlmaLinux 9.4 ### Clients Web Vault, Desktop, Android, iOS ### Client Version Brave 1.73.91 ### Steps To Reproduce - Open Vaultwarden App or Web - Create new Entry and Save ### Expected Result When you get the green "saved"-popup it should be saved to your vault. ### Actual Result You get a green "saved"-popup but the entry is not present if I resync the vault, check on a different device or log back in again. ### Logs ```text vaultwarden | [2024-11-24 09:27:02.049][request][INFO] POST /api/ciphers vaultwarden | [2024-11-24 09:27:02.049][vaultwarden::auth][ERROR] Error decoding JWT vaultwarden | [2024-11-24 09:27:02.049][auth][ERROR] Unauthorized Error: Invalid claim vaultwarden | [2024-11-24 09:27:02.049][vaultwarden::api::core::ciphers::_][WARN] Request guard `Headers` failed: "Invalid claim". vaultwarden | [2024-11-24 09:27:02.049][response][INFO] (post_ciphers) POST /api/ciphers => 401 Unauthorized vaultwarden | [2024-11-24 09:27:02.060][request][INFO] POST /identity/connect/token vaultwarden | [2024-11-24 09:27:02.060][response][INFO] (login) POST /identity/connect/token => 400 Bad Request vaultwarden | [2024-11-24 09:27:08.440][request][INFO] GET /api/sync vaultwarden | [2024-11-24 09:27:08.440][vaultwarden::auth][ERROR] Error decoding JWT vaultwarden | [2024-11-24 09:27:08.440][auth][ERROR] Unauthorized Error: Invalid claim vaultwarden | [2024-11-24 09:27:08.440][vaultwarden::api::core::ciphers::_][WARN] Request guard `Headers` failed: "Invalid claim". vaultwarden | [2024-11-24 09:27:08.440][response][INFO] (sync) GET /api/sync?<data..> => 401 Unauthorized vaultwarden | [2024-11-24 09:27:08.454][request][INFO] POST /identity/connect/token vaultwarden | [2024-11-24 09:27:08.454][response][INFO] (login) POST /identity/connect/token => 400 Bad Request ``` ### Screenshots or Videos  ### Additional Context Hello, I get sporadic errors with invalid refresh token on multiple devices. The frustrating thing is, sometimes you can open the app and everything looks fine and if you create a new entry, it will tell you everything is ok. You only notice the invalid refresh token if you want to login again. Usually this can be fixed by completely logging out and in again, but the newly created password isn't saved anywhere because of the invalid refresh token. I tried the webinterface and clients for Android, IOS, WIndows and Linux and all have the same problem. I suspected an database corruption and created a new instance of vaultwarden. But after a reimport of the reimport of the vault the problem persists. Any ideas how to troubleshoot this issue is appreciated.

kerem 2026-03-03 02:15:18 +03:00

• closed this issue
• added the
  bug
  label

kerem commented 2026-03-03 02:15:19 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Nov 24, 2024):

Do you have since kind of HA setup running for Vaultwarden?
An invalid claim doesn't come by it self. Something must be invalid, like date/time different or modified private key used to create those tokens.

<!-- gh-comment-id:2495924829 --> @BlackDex commented on GitHub (Nov 24, 2024): Do you have since kind of HA setup running for Vaultwarden? An invalid claim doesn't come by it self. Something must be invalid, like date/time different or modified private key used to create those tokens.

kerem commented 2026-03-03 02:15:19 +03:00

Author

Owner

Copy link

@JRehkemper commented on GitHub (Nov 24, 2024):

There is no high availability in place. Just a single Docker server.
The time is synced. Clients and Docker-server are in CET and the container is running in UTC but they are the expect hour apart.
I did not change any keys.

<!-- gh-comment-id:2495939309 --> @JRehkemper commented on GitHub (Nov 24, 2024): There is no high availability in place. Just a single Docker server. The time is synced. Clients and Docker-server are in CET and the container is running in UTC but they are the expect hour apart. I did not change any keys.

kerem commented 2026-03-03 02:15:19 +03:00

Author

Owner

Copy link

@BlackDex commented on GitHub (Nov 24, 2024):

Does the server restart? What is the date/time of the rsa_key.pem file in your data directory?

Is there any WAF, ModSecurity or something like CloudFlare or CloudFront i front of it?

Something must mangle the token.
You can also try to delete the rsa_key.pem, restart Vaultwarden and see if that solves it. But it think you kinda did that already, unless you copied that exact same file over. Doing that will invalidate all tokens and invites though.

<!-- gh-comment-id:2495943239 --> @BlackDex commented on GitHub (Nov 24, 2024): Does the server restart? What is the date/time of the `rsa_key.pem` file in your data directory? Is there any WAF, ModSecurity or something like CloudFlare or CloudFront i front of it? Something must mangle the token. You can also try to delete the `rsa_key.pem`, restart Vaultwarden and see if that solves it. But it think you kinda did that already, unless you copied that exact same file over. Doing that will invalidate all tokens and invites though.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

revert-7033-patch-1

cached-config-operations

test_dylint

1.35.8

1.35.7

1.35.6

1.35.5

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels   

SSO

  

Third party

  

better for forum

  

bug

  

bug

  

documentation

  

duplicate

  

enhancement

  

future Vault

  

future Vault

  

future Vault

  

good first issue

  

help wanted

  

low priority

  

notes

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

troubleshooting

  

wontfix

No labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

question

troubleshooting

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/vaultwarden#2098

No description provided.