Browse docs

Auth or session fails

Operate and recover

Troubleshooting auth and session failures

Recover when login, browser session refresh, or MFA steps fail unexpectedly in the public product surface.

Section: Operate and recover
Path: /troubleshooting/auth-and-session

Good for

Active users and Community operators troubleshooting browser auth, MFA, or reverse-proxy session problems.

What you get

You can distinguish product-safe auth failures from proxy/cookie drift and capture the right evidence before escalation.

Before you start

Access to the browser or device that is failing · Access to the published Nanami URL for the affected environment

Use this guide when browser login, MFA verification, or session refresh keeps failing in the public product path.

Check the visible failure type first

Treat these as different problems:

invalid MFA code,
expired MFA challenge,
rate-limited MFA or resend cooldown,
generic login/session failure after proxy or cookie changes.

Do not collapse them into one “auth is broken” report.

Check browser-safe session dependencies

Confirm that:

cookies are set for the published domain you are actually using,
reverse-proxy headers such as x-forwarded-host and x-forwarded-proto stay correct,
system clocks are not drifting on the auth and gateway hosts.

Check whether the failure is product or deployment

If MFA shows an invalid or expired challenge, retry through the normal browser flow first.
If login loops after proxy changes, treat the proxy or cookie boundary as the likely problem.
If OAuth or login errors expose only a safe product code, capture that code instead of guessing the backend text.

Decide the next move

Fix proxy and cookie posture before asking users to retry repeatedly.
If the failure is still visible after posture recovery, capture the safe error code and the exact published URL before escalating.

Next steps

Pick the most useful next step instead of the next random article.

Common issues hub Authentication Community self-hosted deployment