--- audience: everyone summary: Sign-in redirects don't work, you get bounced back, or the app says the token is invalid. title: Can't sign in path: troubleshooting/cant-sign-in status: published --- # Can't sign in ## Symptom: ScaiKey rejects the password You enter your password and ScaiKey shows "invalid credentials" or similar. That's a ScaiKey issue, not ScaiWave — check your tenant's SSO config or contact your admin. ## Symptom: Loop between ScaiKey and ScaiWave You sign in, get redirected back, and immediately get sent to ScaiKey again. Usually means the redirect URI is misconfigured: - ScaiWave expects `redirect_uri` to point at `/v1/auth/login`. - ScaiKey's allowed-redirect-URI list must include that exact URL. Have an admin check both sides. If using a load balancer, make sure HTTPS termination preserves the host header. ## Symptom: 401 immediately after sign-in You sign in, land in the app, but every API call returns `SW_AUTH_INVALID_TOKEN`. Causes: - **Clock skew** between your client and the server > 60 seconds. Check the system clock. - **ScaiKey JWKS not reachable** by the ScaiWave server. Admin should check `SCAIWAVE_SCAIKEY_URL` is right and the network path is open. - **Cached old token**. Hard-reload the page (Cmd+Shift+R / Ctrl+F5). ## Symptom: "Tenant not found" The token validates but `SW_TENANT_NOT_FOUND` is returned. The `tenant_id` claim in your token doesn't match a row in `sw_tenants`. Either: - Your tenant was deleted (ask your admin). - The tenant exists but with a different `scaikey_tenant_id` than the one ScaiKey is signing you with. Admin needs to run `scaiwave sync` to reconcile. ## Symptom: Local dev — no sign-in prompt If you're in mock-auth mode (`SCAIWAVE_AUTH_MODE=mock`), there's no real sign-in; you're auto-logged-in as the mock dev user. That's expected. If you wanted real ScaiKey auth locally, set `SCAIWAVE_AUTH_MODE=scaikey` and configure `SCAIWAVE_SCAIKEY_URL` etc. (See [Configuration](/docs/scaiwave/reference/configuration).) ## Symptom: Federated user can't see federated rooms You're a federated guest in someone else's room and you can't see it. Likely the foreign server hasn't accepted your home server's peering. Their admin needs to add yours to `allowed_peers`. ## What to check (admin) - `GET /v1/auth/config` returns valid JSON. - `GET /health` returns 200 with `checks.database = "ok"`. - ScaiKey's `/.well-known/openid-configuration` is reachable from the ScaiWave pod. - Logs around the failing request — grep for `auth.token_invalid` or `auth.tenant_resolution_failed`.