[Bug]: API session token expired” loop when opening Passwords app on Nextcloud 32 #56858
Description
⚠️ This issue respects the following points: ⚠️
- This is a bug, not a question or a configuration/webserver/proxy issue.
- This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
- Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
- I agree to follow Nextcloud's Code of Conduct.
Bug description
App: Passwords
Version: (fill in the exact version from App Store if needed)
Nextcloud Version: 32.0.2
PHP: 8.2 (Plesk-managed)
OS: AlmaLinux 8 (Dedicated server)
Webserver: Apache + Nginx (reverse proxy, Plesk)
Database: MariaDB (Plesk / MySQL 10.x)
Environment: Fresh installation, all caches cleared, no custom modifications.
❗ Issue Summary
When opening the Passwords app, the page immediately throws:
“API session token expired – The session token is no longer valid. Reloading the application now.”
The popup reappears in an infinite loop, and the app never loads.
All other Nextcloud apps (Mail, Contacts, Calendar, Files, Office/Collabora, Notes, Previews) work correctly.
No other part of Nextcloud shows login/session issues.
🔍 What I already checked
✔ Browser cache cleared (Chrome, Firefox, incognito)
✔ Nextcloud admin cache cleared
✔ All server caches cleared (Redis, Opcache)
✔ Verified no reverse-proxy headers missing
✔ Disabled and re-enabled the Passwords app
✔ Checked database:
oc_appconfig contains no invalid keys such as theming cachebuster
No leftover config keys for the Passwords app.
✔ Tail of Nextcloud log (occ log:tail)
No relevant errors appear when opening the Passwords app.
Only unrelated warnings from other apps:
/appinfo/app.php is not supported anymore, use \OCP\AppFramework\Bootstrap\IBootstrap instead.
No exceptions originating from the Passwords app.
✔ Browser dev tools (Network tab)
Opening /apps/passwords/ triggers a 401 Unauthorized or session invalidation, causing the frontend to reload itself endlessly.
🧪 Expected Behavior
The Passwords app should load normally and show the vault UI.
🐞 Actual Behavior
Opening the Passwords app immediately results in:
Popup: “API session token expired”
Automatic reload of app
Same popup appears again
App never loads
Loop continues indefinitely.
🧱 Additional Notes
This is a clean Nextcloud 32 environment with all recommended settings.
No custom theming or JavaScript modifications that interfere with app loading.
Other apps that use API endpoints do not show authentication/session issues.
Passwords app appears to be the only component not compatible with NC32 at this moment.
📌 Conclusion
This appears to be a compatibility issue between the Passwords app and Nextcloud 32, specifically related to API session handling or CSRF/auth tokens.
I am happy to provide:
Network HAR logs
Full server debug log
Debug mode reproduction
App version details
If needed.
Steps to reproduce
Expected behavior
Nextcloud Server version
32
Operating system
Other
PHP engine version
PHP 8.2
Web server
Nginx
Database engine version
MariaDB
Is this bug present after an update or on a fresh install?
Fresh Nextcloud Server install
Are you using the Nextcloud Server Encryption module?
None
What user-backends are you using?
- Default user-backend (database)
- LDAP/ Active Directory
- SSO - SAML
- Other
Configuration report
List of activated Apps
Nextcloud Signing status
Nextcloud Logs
Additional info
No response