Constant "Login attempt failed" errors...

[notDavid]

The problem

Hi there,

i get these error messages daily. HAOS is running locally, and is not available from the internet. The reported IP in the log is sometimes from my Macbook, sometimes an iPhone.

Please advise... Thank you!

What version of Home Assistant Core has the issue?

core-2025.3.3

What was the last working version of Home Assistant Core?

No response

What type of installation are you running?

Home Assistant OS

Integration causing the issue

http

Link to integration documentation on our website

https://www.home-assistant.io/integrations/http

Diagnostics information

error as reported in http://192.168.1.7:8123/config/logs - click to expand

Logger: homeassistant.components.http.ban
Source: components/http/ban.py:136
integration: HTTP (documentation, issues)
First occurred: March 15, 2025 at 22:33:53 (5 occurrences)
Last logged: 16:03:57

Login attempt or request with invalid authentication from 192.168.1.20 (192.168.1.20). Requested URL: '/api/history/period/2025-03-15T21:18:05.681Z?filter_entity_id=sensor.airgradient_temperature&end_time=2025-03-15T21:18:13.987Z&skip_initial_state&minimal_response&no_attributes'. (Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0)
Login attempt or request with invalid authentication from 192.168.1.20 (192.168.1.20). Requested URL: '/api/history/period/2025-03-15T21:48:59.845Z?filter_entity_id=sensor.airgradient_temperature&end_time=2025-03-15T21:49:08.032Z&skip_initial_state&minimal_response&no_attributes'. (Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0)
Login attempt or request with invalid authentication from 192.168.1.20 (192.168.1.20). Requested URL: '/api/history/period/2025-03-15T22:04:45.947Z?filter_entity_id=sensor.airgradient_temperature&end_time=2025-03-15T22:19:58.087Z&skip_initial_state&minimal_response&no_attributes'. (Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0)
Login attempt or request with invalid authentication from 192.168.1.20 (192.168.1.20). Requested URL: '/api/history/period/2025-03-16T07:20:51.791Z?filter_entity_id=sensor.airgradient_temperature&end_time=2025-03-16T07:23:51.720Z&skip_initial_state&minimal_response&no_attributes'. (Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0)
Login attempt or request with invalid authentication from 192.168.1.20 (192.168.1.20). Requested URL: '/api/history/period/2025-03-16T14:40:02.451Z?filter_entity_id=sensor.airgradient_temperature&end_time=2025-03-16T14:57:59.700Z&skip_initial_state&minimal_response&no_attributes'. (Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0)

Example YAML snippet

Anything in the logs that might be useful for us?

Additional information

No response

[home-assistant[bot]]

Hey there @home-assistant/core, mind taking a look at this issue as it has been labeled with an integration (http) you are listed as a code owner for? Thanks!

Code owner commands

Code owners of http can trigger bot actions by commenting:

• @home-assistant close Closes the issue.
• @home-assistant rename Awesome new title Renames the issue.
• @home-assistant reopen Reopen the issue.
• @home-assistant unassign http Removes the current integration label and assignees on the issue, add the integration domain after the command.
• @home-assistant add-label needs-more-information Add a label (needs-more-information, problem in dependency, problem in custom component) to the issue.
• @home-assistant remove-label needs-more-information Remove a label (needs-more-information, problem in dependency, problem in custom component) on the issue.

_{^{(message by CodeOwnersMention)}}

---

http documentation http source _{^{(message by IssueLinks)}}

[rudolphchg]

Hi, I can confirm that his error is thrown with every login.

Logger: homeassistant.components.http.ban Quelle: components/http/ban.py:136 Integration: HTTP (Dokumentation, Probleme) Erstmals aufgetreten: 13:46:44 (1 Vorkommnisse) Zuletzt protokolliert: 13:46:44

Login attempt or request with invalid authentication from 192.168.2.114 (192.168.2.114). Requested URL: '/api/websocket'. (Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36)

core: 2025.2.4

Regards, Christine

[runeverstraeten]

Sadly I am having the same problem.

Logger: homeassistant.components.http.ban Bron: components/http/ban.py:136 integratie: HTTP (documentatie, problemen) Eerst voorgekomen: 13:46:33 (4681 gebeurtenissen) Laatst gelogd: 13:53:31

Login attempt or request with invalid authentication from XXXXXXX.access.telenet.be (XX.XX.XX.XXX). Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.2 (io.robbie.HomeAssistant.PushProvider; build:2025.1178; iOS 18.3.1) Alamofire/5.8.0)

XX.XX.XX.XXX = WAN IP

[smorgo]

I'm having it complain about localhost, which is confusing the hell out of me!

Logger: homeassistant.components.http.ban Source: components/http/ban.py:136 integration: HTTP (documentation, issues) First occurred: 8:30:24 AM (524 occurrences) Last logged: 12:03:35 PM

Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (Home Assistant/2025.2 (io.robbie.HomeAssistant; build:2025.1178; iOS 18.3.1) Alamofire/5.8.0)

[DJS91]

Me too. I changed my admin account password, and it caused these constant error notifications, every few seconds.

[josedaidone]

Same issue here.

Logger: homeassistant.components.http.ban Source: components/http/ban.py:136 integration: HTTP (documentation, issues) First occurred: 10:27:34 AM (1 occurrences) Last logged: 10:27:34 AM

Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (Home Assistant/2025.2 (io.robbie.HomeAssistant; build:2025.1178; iOS 18.3.2) Alamofire/5.8.0)

[DJS91]

I had to roll back to pre-password change to stop it. Happen for anyone else after an account password change?

[DavidA359]

Same issue here. Very frequent!

Logger: homeassistant.components.http.ban Source: components/http/ban.py:136 integration: HTTP (documentation, issues) First occurred: March 26, 2025 at 4:30:20 AM (1022 occurrences) Last logged: March 27, 2025 at 11:31:55 PM

Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (Home Assistant/2025.2 (io.robbie.HomeAssistant; build:2025.1178; iOS 18.3.2) Alamofire/5.8.0)

[rob-s-l]

same here with WeHeat integration

Login attempt or request with invalid authentication Requested URL: '/auth/token'. (HomeAssistant-Extensions-PushProvider/2025.2 (io.robbie.HomeAssistant.PushProvider; build:2025.1178; iOS 18.3.2) Alamofire/5.8.0) Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0) Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/api/websocket'. (Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0) Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/login_flow/382fd7ff3f9e80b751049fa01a022601'. (Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0)

updating python and pip solved my problems!

[notDavid]

FYI: I notice this issue always seems to happen, when my Macbook wakes from sleep.

[Velo1901]

Logger: homeassistant.components.http.ban Bron: components/http/ban.py:136 integratie: HTTP (documentatie, problemen) Eerst voorgekomen: 13:29:52 (197 gebeurtenissen) Laatst gelogd: 15:21:54

Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (HomeAssistant-Extensions-Widgets/2025.3 (io.robbie.HomeAssistant.Widgets; build:2025.1205; macOS(Catalyst) 15.5.0) Alamofire/5.8.0) Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (Home Assistant/2025.3 (io.robbie.HomeAssistant; build:2025.1205; iOS 18.4.0) Alamofire/5.8.0)

Any help with this?

[Velo1901]

I removed the home assistant app from MacBook and my wife's iPhone, it solved the problem.

[Velo1901]

Same issue on my setup (since 2025.4.x) when retrieving data from EVCC (running as add-on in HA) (over 100 error reports/minute):

Login attempt or request with invalid authentication from homeassistant.u10 (192.168.1.11). Requested URL: '/api/states/switch.fietsladerstekker'. (Go-http-client/1.1)

Is there any way I can help diagnosing?

I've tried using the home-assistant.local as well as the ip address and did create a new Long Lived access token. I've also tried using a simple CURL command, that works fine

I think removing the apps works well.

[Velo1901]

The app on my wife's phone

[josedaidone]

The app on my wife's phone

But this is not a proper fix. I want to continue using the app.

[Velo1901]

The Home Wizard app on my iPhone still works, but I reinstall the HA Green and both the Mac and my wife's iPhone used the old settings.

[ablansinger]

I have also started getting a lot of this failed login attempts, I thought it was because I had started the NABU CASA trial period aproximately at same time. My wife have an iphone and an ipad, I dont know which one triggers it but I also dont want to unistall the companion app.

[pvmil]

Removed my comments, for me it was a user error...

[DanTulovsky]

I just upgraded to the paid nabucasa access, and now I am inundated with failed login messages, all referencing /websocket api...

Is there something to be done here? They all reference the machine I am on..

[bru73f0rc3]

Same as @DanTulovsky - The moment i moved my Nabu Casa account from my old home assistant instance to the new one, i'm getting these Warnings every 15 seconds (on the new one):

2025-05-16 21:47:40.502 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/api/websocket'. (Home Assistant/2025.3 (io.robbie.HomeAssistant; build:2025.1205; iOS 18.5.0))

Happy to try and debug if there's something specific to run or set.

[bru73f0rc3]

If you're like me and you're also going nuts with the constant persistent notification, you can use this automation to at least get rid of it until some solution becomes available:

alias: Remove localhost login error notifications
description: ""
triggers:
  - trigger: persistent_notification
    update_type:
      - added
    notification_id: http-login
conditions:
  - condition: template
    value_template: >-
      {{ 'Login attempt or request with invalid authentication from localhost'
      in trigger.notification.message }}
actions:
  - action: persistent_notification.dismiss
    metadata: {}
    data:
      notification_id: http-login
mode: single

[ablansinger]

Yesterday I canceled my nabu casa cloud, and I have not seen the login failed alerts since. I guess I have to get vpn runing instead of using nabu casa.

[fredck]

I have multiple users in my home with the app installed on their phones, and I’ve been seeing this error across several releases. It’s difficult to handle because the logs don’t clearly identify which user or device failed to log in — they only show an IP address, which is mostly useless since users are on 5G.

[wagnerpizza]

Same problem here and additional a lot of reconnects with companion app.

`Logger: homeassistant.components.http.ban Quelle: components/http/ban.py:136 Integration: HTTP (Dokumentation, Probleme) Erstmals aufgetreten: 7. Juni 2025 um 04:45:03 (122 Vorkommnisse) Zuletzt protokolliert: 21:16:11

Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/api/states'. (Home Assistant/2025.5 (io.robbie.HomeAssistant; build:2025.1264; iPadOS 18.5.0)) Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/auth/token'. (Home Assistant/2025.5 (io.robbie.HomeAssistant; build:2025.1264; iOS 18.5.0) Alamofire/5.8.0) Login attempt or request with invalid authentication from 192.168.178.74 (192.168.178.74). Requested '. (Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Home Assistant/2025.5 (io.robbie.HomeAssistant; build:2025.1264; iPadOS 18.5.0) Mobile/HomeAssistant, like Safari) Login attempt or request with invalid authentication from 192.168.178.74 (192.168.178.74). Requested URL: '/auth/token'. (Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.5 Safari/605.1.15) `

[BrainInBlack]

Solution for Companion App Users

1. Uninstall the App
2. ReInstall the App

Yes, it sounds funny but it works in most cases.

In the case of the MacOS App, it might be best to use an App Cleaner to get rid of residual files and other artifacts.

[ablansinger]

Solution for Companion App Users

1. Uninstall the App

2. ReInstall the App

Yes, it sounds funny but it works in most cases.

In the case of the MacOS App, it might be best to use an App Cleaner to get rid of residual files and other artifacts.

Thank you for the advice, but unfortunately it does not solve the issue.

I stopped the trial period and without the cloud access I did not get any Login errors. Now I have got a real subscription and the login errors came back. I have an iphone, and an ipad and an android device connected. After uninstalling both iphone and ipad the error login messages stopped. Now after installing the app on both, the login errors appear again.

[mukaschultze]

I've spent nearly a month troubleshooting this bug without pinpointing the exact cause, but I'm sharing my findings for any future developer investigating it:

The main issue is that the Android companion app sometimes sends expired tokens (up to 15 minutes past their expiration).

I reviewed the companion app’s source code and found no reason for this behavior. All checks to prevent expired tokens appear to be in place, yet Home Assistant Core still receives them.

Both the app and Core use UTC for token expiration checks, and system clocks were synchronized, so time zone issues or clock drift can be ruled out.

Another odd behavior: sometimes Home Assistant logs a warning that the WebSocket didn’t receive an auth message within 10 seconds https://github.com/home-assistant/core/issues/136620. This doesn’t make sense, logs show the companion app sends the auth message immediately, and reverse proxy logs confirm the connection is faster than 10 secs.

The only remaining theory is network throttling, possibly due to Doze mode or a similar mechanism, but I haven’t found a reliable way to test this yet.

[eharrison84]

I'm seeing this error when trying to use HASS Agent. Can't get past the API Token screen.

[yschimke]

localhost is because it's via Nabu Cloud - see https://github.com/home-assistant/core/issues/154671 and https://github.com/home-assistant/core/issues/96597

[puetsch]

I'm having the same issue of getting these "login failed" notifications regularly.

Seems to be related / the same issue as:

• https://github.com/home-assistant/core/issues/90117
• https://github.com/home-assistant/core/issues/114575
• https://github.com/home-assistant/core/issues/154671

@mukaschultze Thanks for your forensics. There could be something to your theory of "battery optimization". What if the app is "put to sleep" by Android while not in foreground use just as it's about to send out the token. When the token is eventually sent (upon next wakeup), it's expired.

Couple of thoughts:

1. Is there really a big benefit to showing these "login failed" messages on the main screen (vs. in a debug log)? Maybe only show repeated failed attempts? (like >5 in the last 24 hrs or so)
2. It would be helpful to have a more descriptive error message, e.g. which device caused the failed login (currently, it just shows the IP)
3. If I knew which device caused it, I could switch off battery optimization for the companian app and see what happens.