Authentication
This page covers common authentication problems including JWT token issues, component registration failures, and user login problems.
JWT Token Expired
Symptom: API calls return 401 Unauthorized with message Token is expired.
Solution:
-
Request a new token:
curl -k -X POST https://<host>:<port>/api/auth \ -H "Content-Type: application/json" \ -d '{"username":"admin","password":"your_password"}' -
Or refresh before expiry:
curl -k -X GET https://<host>:<port>/refresh_token \ -H "Authorization: Bearer <current_token>"
Token lifetimes:
- User tokens: 15 minutes
- Component tokens: 60 days
- Long-lived tokens: 1 year or 15 years
Component Cannot Authenticate with Webserver
Symptom: Monitor, Integrator, or Sentinel Agent cannot communicate with the Webserver. Logs show authentication errors.
Possible causes:
1. JWT Token Expired or Desynchronized
The Webserver automatically refreshes component tokens every 14 minutes. If this process fails:
- Check the Webserver logs for token refresh errors
- Manually resynchronize tokens from the Web UI: Components > select component > Push Settings
- Or re-register the component:
# Re-register the component
./monitor register <webserver_ip>:<port>
2. RSA Key Mismatch
If a component’s RSA key pair doesn’t match what the Webserver has stored:
- Delete the component from the Webserver UI
- Re-register:
./monitor install <webserver_ip>:<port> - The component generates new keys and sends them during registration
3. Clock Skew
JWT tokens are time-sensitive. If the system clocks are out of sync by more than a few minutes:
- Synchronize clocks using NTP on all hosts
- Check with:
date(Linux) orw32tm /query /status(Windows)
User Cannot Log In
Symptom: Login fails with “incorrect Username or Password”.
Possible causes:
- Wrong password – Passwords are case-sensitive
- Account disabled – Check if the user account is enabled in Administration > Users
- LDAP issues – If using LDAP authentication, verify LDAP connectivity in Settings
Reset Admin Password
If you’ve lost the admin password, you can reset it via the API using a component token:
# Get a component token (requires access to the Webserver host)
TOKEN=$(curl -s -k -X POST https://localhost:8050/loginComponent \
-H "Content-Type: application/json" \
-d '{"username":"admin","password":"current_or_internal_pwd"}' \
| jq -r '.token')
# Update the password
curl -k -X PATCH https://localhost:8050/api/users \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"username":"admin","password":"new_secure_password"}'
Rate Limiting
Symptom: Login attempts return 429 Too Many Requests.
Cause: Authentication endpoints are rate-limited to 10 attempts per IP per 5-minute window.
Solution: Wait 5 minutes and try again. If using automation, implement token caching and refresh instead of re-authenticating on every request.
Certificate Authentication Errors
Symptom: x509: certificate signed by unknown authority or tls: bad certificate.
Solution:
-
Ensure certificates are exchanged between components:
# Reload certificates on the component curl -k -X GET https://<component>:<port>/reloadCertificates \ -H "Authorization: Bearer <token>" -
Or re-register the component to exchange new certificates:
./monitor register <webserver_ip>:<port>
See Communication Issues for more certificate troubleshooting.
See also
- Security Model — JWT authentication, mTLS, and RBAC details
- Create API Tokens — how to create and manage API tokens
- Security Hardening — certificate and encryption best practices
- Check the Logfile — reading logs to diagnose auth failures