App-Token/App-Password invalidates after reboot/time/server failure


I had a couple of incidences where the app-token/app-password fails.

Latest incident: The server was down for 3 days.


  • NC 27.1.4
  • 2FA for my user
  • seperate App-Tokens for all clients that need one (see below)
  • NC-desktop-app 3.10.1 (Arch)
  • NC-android-app 3.26.0

Symptoms after the reboot of the server:

  • the app-token for the NC-Desktop-Client fails
  • the app-token for the NC-Android-Appclient fails
  • the app-token for the Thunderbird-Calendar fails
  • the app-token for a webdav-mount works fine
  • the app-token for the Android-Dav5x works fine

I am at loss. The problem comes if I have to enforce users to use 2FA and the app-tokens start to fail for some unknown reasons.

Anyone an idea how to debug this?

  • Can I check the “validity” of an app-password in the database?
  • Can I debug the process on the client side (NC-Desktopclient maybe)?
  • Is it rather on the server-side (since Thunderbird is seeing the problem too?)


Anyone the same behaviour?

A day later the app-token for the Android-Dav5x fails to work, so it might not have something to do with reboot or server outages.
It might just be a random thing or a time-based thing.

Is there such a thing as “app-tokens get invalidated after a configured time”?

Cheers for any comment.

What do your server-side logs indicate when the various clients attempt to use these apparently no-longer-functioning app passwords?

Might be worth bumping your loglevel down to get more details temporarily too.

1 Like

Only with loglevel = 0:


No public access to this resource., Username or password was incorrect, No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is mis-configured, Username or password was incorrect

The Nextcloud-App on Android:

Token is not valid: Token is too short for a generated token, should be the password during basic auth


"exception":{},"CustomMessage":"Exception thrown: OCA\\DAV\\Connector\\Sabre\\Exception\\PasswordLoginForbidden

That just seems as if the apps forgot their passwords.

Ok. Update:

  • I had the high-performance-backend (notify_push) configured, though probably not correctly (push server is not a trusted proxy · Issue #11 · nextcloud/notify_push · GitHub)
  • I will leave the notify_push backend online, since I figure that only the desktop app and probably not the android app (can’t see anything in the logs that it does) use the notify_push backend, while all my other services seem to invalidate their app-tokens

bumping up the thread.

It is still happening to me:

  • I detangled the admin-account from the user-account to make sure that the account that it is happening to is not special
  • for no apparent changes the app-passwords dropped out of being valid one by one: NC-app on android, then Dav5x-app on android, then caldav-usage on thunderbird and NC-app on the desktop probably at the same time.

something is weird here.

Next try:

  • I use only separate logins to the webinterface, create a QR-Code/App-Token and then do not log out but close the (incognito/private) browser window.

I try to rule out the suspicion, that something/someone invalidates some app-token and therefore all other app-tokens that were created within the same session will also be invalid after some short timespan.

Just FYI

Ok, again me.
No success in using App-Token which were created in a websession which does not get closed…

So, I am starting to collect Issues with similar problems: