"API Session Token expired" when connected through company proxy

Hi, I tried to use “Passwords” and it looks great but I got one problem.

When I’m at the company where I work or connected via VPN into the company network “Passwords” always report “API Session Token expired”. When I disconnect the VPN it’s working.

Does anyone have an idea what is blocked that this message appears? Maybe I find then a workaround.


Sounds to me like your VPN is looking into your HTTPS traffic :worried:

The cause for this message may be that the authentication header or more likely the custom “x-api-session” header is removed from the https requests of the app.

If your company VPN is actually capable of removing header data from an HTTPS request, that means it performs a man-in-the-middle attack on your HTTPS traffic and therefore using the passwords app on such a network is insecure (even with E2EE).


Thanks for the info.

Another reason i could think of would be if you run some kind of Proxy-Server. E.g. if have an HTTPS-Termination Proxy that all traffic from the internet to your Nextcloud goes trough, but when you’re at home you access Nextcloud directly.
You can check that by accessing Nextcloud trough a cellphone connection. If it works with WLAN but not with but not when you’re on mobile data then your proxy might be the issue.