Error when trying to log in to Panel

hi jens, hi @texnixe!

it seams i have the same situation with my kirby3 installation. My client has a root server with debian strech, php72 and working rewrite … but when it comes to login with correct credentials, i see the following error in the console:

[Error] Failed to load resource: the server responded with a status of 400 (Bad Request) (login, line 0)

[Error] {status: "error", exception: "Kirby\\Exception\\PermissionException", message: "Unauthenticated", key: "0", file: "kirby/config/api/authentication.php", …}
	onError (app.js:1:235688)
	(anonyme Funktion) (app.js:1:231814)

Any idea what rights are wrong here in case you finally found a solution?

Could you please provide more information? Can the client log in at all? Is the client logged out from time to time and then can’t log in anymore? Or any other information when exactly this happens?

I moved your post to a new topic, the Kirby 3 Panel is a complete rewrite, it doesn’t make sense to mix this with the old version.

No it can’t login in panel at all. happens on first test and is recurring.
I am using/testing two accounts from my local development environment (mamp). I have tested several config.php option from this thread.

tested both with .htaccess

#RewriteBase /
RewriteBase /

apache rewrite seams to work, as otherwise i could not navigate to my content pages.

in safari console I could dig into a error of app.js line: 13789
d.debug && window.console.error(t), 403 === t.code && om.dispatch("user/logout", !0)

Have you tried to

  • remove all content from the media folder
  • all session data from the /site/sessions folder
  • remove all accounts and start fresh on the live server (to do so, you have to allow panel installation on the remote in your config.php)
  • tested with a fresh Starterkit
  • tested in different browsers

Is there any caching active (Varnish Cache) on the server?

1 Like

Finally I could do a login on server clients server thanks to your steps.

The two misconfigurations were from debian permissions, as I was uploading trough sftp into /var/www/html and the local dev user accounts I transferred to the server.

  • testing with ‘starterkit’ (dev was done with plainkit version)
  • using debug mode on server (in config.php) tweaking permissions step by step - depending on exceptions folder by folder
  • after creating user accounts succeeded…
  • same procedure with my local kirby directory
  • user accounts were the problem combined with a too restrictive folder permission setting, finally chmod 775

Summing up, it was caused by a malconfiguration, were the uploaded files got wrong permissions. If the admin lets me know the configuration steps involved I will post an update.

Thank you so much!

I am experiencing the same issue. All permissions are set though. I am not using apache but nginx with this server block. I have a feeling it might be coming from that?

include forge-conf/MY_DOMAIN/before/*; # MY_DOMAIN is obviously my real domain

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name MY_DOMAIN;
    server_tokens off;
    root /home/forge/MY_DOMAIN/public;

    ssl_certificate /etc/nginx/ssl/MY_DOMAIN/814701/server.crt;
    ssl_certificate_key /etc/nginx/ssl/MY_DOMAIN/814701/server.key;

    ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparams.pem;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    index index.html index.htm index.php;

    charset utf-8;

    include forge-conf/MY_DOMAIN/server/*;

    location / {
        try_files $uri $uri/ /index.php?$query_string;

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log off;
    error_log  /var/log/nginx/MY_DOMAIN-error.log error;

    error_page 404 /index.php;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;

    location ~ /\.(?!well-known).* {
        deny all;

include forge-conf/MY_DOMAIN/after/*;