Skip to main content

Fixing Home Assistant /auth/token Errors Behind Nginx Proxy Manager

This guide explains exactly what to do when Home Assistant shows:

Login attempt or request with invalid authentication.
Requested URL: '/auth/token'

This error happens when Nginx Proxy Manager blocks or alters Home Assistant’s OAuth callback, especially when using Authentik, OIDC, or Basic Auth.


Set the External URL in Home Assistant

In Home Assistant:

  1. Go to Settings → System → Network
  2. Set External URL to:
https://overseer.cyberpaw.org

Why:
Home Assistant validates OAuth requests against this URL. If it doesn’t match the domain used through NPM, HA rejects /auth/token.

Disable “Block Common Exploits” in NPM

In Nginx Proxy Manager:

  1. Go to Hosts → Proxy Hosts
  2. Edit your Home Assistant proxy host
  3. Open the SSL tab
  4. Uncheck:
Block Common Exploits

Why:
This option blocks or modifies legitimate OAuth POST requests to:

  • /auth/token
  • /auth/authorize
  • /api/*

This is the #1 cause of the /auth/token error.

Correct SSL Tab Settings

In the same proxy host → SSL tab:

  1. Turn ON:
    1. Force SSL
    2. HTTP/2 Support
    3. Websockets Support
  2. Turn OFF:
    1. HSTS Enabled
    2. HSTS Subdomains

Why:
WebSockets are required for HA. HSTS can cause redirect loops or break local access.

Add Required Headers (Advanced Tab)

In the same proxy host → Advanced tab, add:

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;

Why:
Home Assistant must know:

  • The original hostname
  • The original protocol (HTTPS)
  • The real client IP

Missing headers = HA rejects the OAuth callback.

Ensure No Path Rewrites or Blocking

Make sure NPM is not rewriting or protecting:

/auth/*
/api/*

If using Basic Auth, do NOT protect these paths.

Why:
OIDC and Authentik rely on these endpoints. If NPM intercepts or rewrites them, HA sees an invalid request.

Test the Login Flow Properly

  1. Close all HA tabs
  2. Open a private/incognito window
  3. Visit:
https://overseer.cyberpaw.org
  1. Log in normally
Back to top