# Fixing Home Assistant /auth/token Errors Behind Nginx Proxy Manager

This guide explains exactly what to do when Home Assistant shows:

```
Login attempt or request with invalid authentication.
Requested URL: '/auth/token'

```

This error happens when **Nginx Proxy Manager blocks or alters Home Assistant’s OAuth callback**, especially when using **Authentik**, **OIDC**, or **Basic Auth**.

#### Set the External URL in Home Assistant

In Home Assistant:

1. Go to **Settings → System → Network**
2. Set **External URL** to:

```bash
https://overseer.cyberpaw.org
```

**Why:**  
Home Assistant validates OAuth requests against this URL. If it doesn’t match the domain used through NPM, HA rejects `/auth/token`.

---

#### Disable “Block Common Exploits” in NPM

In **Nginx Proxy Manager**:

1. Go to **Hosts → Proxy Hosts**
2. Edit your Home Assistant proxy host
3. Open the **SSL** tab
4. **Uncheck**:

```
Block Common Exploits
```

**Why:**  
This option blocks or modifies legitimate OAuth POST requests to:

- `/auth/token`
- `/auth/authorize`
- `/api/*`

This is the **\#1 cause** of the `/auth/token` error.

#### Correct SSL Tab Settings

In the same proxy host → **SSL** tab:

1. Turn ON: 
    1. Force SSL
    2. HTTP/2 Support
    3. Websockets Support
2. Turn OFF: 
    1. HSTS Enabled
    2. HSTS Subdomains

**Why:**  
WebSockets are required for HA. HSTS can cause redirect loops or break local access.

---

#### Add Required Headers (Advanced Tab)

In the same proxy host → **Advanced** tab, add:

```
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
```

**Why:**  
Home Assistant must know:

- The original hostname
- The original protocol (HTTPS)
- The real client IP

Missing headers = HA rejects the OAuth callback.

#### Ensure No Path Rewrites or Blocking

Make sure NPM is **not** rewriting or protecting:

```
/auth/*
/api/*
```

If using **Basic Auth**, do NOT protect these paths.

**Why:**  
OIDC and Authentik rely on these endpoints. If NPM intercepts or rewrites them, HA sees an invalid request.

#### Test the Login Flow Properly

1. Close all HA tabs
2. Open a private/incognito window
3. Visit:

```
https://overseer.cyberpaw.org
```

4. Log in normally