Skip to content

Auth & Session Errors

Use this page when a login, OTP, MPIN, TOTP, token, device, or session check fails.

When authentication fails, pause trading requests until the session is valid again. If an order placement, modify, or cancel request may already have reached Nubra, check the latest order status before sending the same request again.

What This Means

Auth and session errors usually mean one of three things:

  • The user has not completed the login flow.
  • The saved session is missing, expired, or no longer trusted.
  • The request is using the wrong device, environment, account, or API access context.

Treat these errors as a login/session problem first. Do not handle them as ordinary trading failures.

29 retail auth errors

Retail Auth Error Lookup

Search login, OTP, MPIN, TOTP, token, device, and session errors.

Common Retail Causes

Cause What it usually means What to do
Session expired The saved login session is no longer valid. Sign in again and create a fresh session.
OTP expired or incorrect The OTP was entered late, entered incorrectly, or belongs to an older login attempt. Request a new OTP and complete the same login flow.
MPIN incorrect The MPIN does not match the account. Re-enter the MPIN carefully. Stop after repeated failures.
TOTP invalid The authenticator code is wrong, expired, or the device clock is out of sync. Use the latest code and check device time sync.
Token missing Login did not complete successfully or local session data is incomplete. Restart login and store the new token/session values.
Device ID changed The session was created with a different x-device-id. Use the same device ID throughout login and API calls.
Wrong environment UAT credentials are being used on PROD, or PROD credentials on UAT. Match credentials, base URL, and environment.
API access blocked The account or network is not allowed to access the API. Check API access settings or contact Nubra support.

First Response Flow

Auth/session error
      |
      v
Pause trading requests
      |
      v
Did the error happen during login?
      |                     |
     Yes                    No
      |                     |
      v                     v
Restart the failed       Was it a trading action?
login step with             |              |
fresh OTP/TOTP             Yes             No
                            |              |
                            v              v
                     Check latest       Re-authenticate,
                     order status       then retry if safe
                     before retry

Safe Retry Rules

Request type Retry guidance
Login OTP, MPIN, or TOTP step Retry only with a fresh or correct credential for the same login flow.
Read-only API after session repair Retry after the SDK or app has a valid session again.
Order placement Do not repeat until you know whether the first order was accepted.
Order modify or cancel Check the latest order state before sending another modify/cancel request.
Validation or access failure Do not retry unchanged. Fix the account, environment, device, token, or access setting first.

User vs Internal Message

Technical signal Retail user message
Unauthorized even after re-login Your session has expired. Please sign in again.
OTP verification failed The OTP is incorrect or expired. Request a new OTP and try again.
MPIN verification failed The MPIN entered is incorrect. Please check it and try again.
TOTP verification failed The authenticator code is invalid or expired. Use the latest code.
auth_token missing Login could not be completed. Please restart the login flow.
x-device-id missing Device information is missing. Restart login using the same device ID.
IP not whitelisted API access is not enabled for this network. Check API access settings or contact support.

Logging Fields

Log enough detail to debug the failure, but do not expose secrets, OTPs, MPINs, or full tokens.

  • trace_id or request_id
  • masked user/account identifier, if available
  • auth step, such as send OTP, verify OTP, verify MPIN, verify TOTP, or refresh session
  • environment, such as UAT or PROD
  • x-device-id
  • HTTP status
  • sanitized response body
  • retry count
  • order ID or basket ID, if the auth error happened after a trading request was sent

Retail Copy Standards

  • Use "sign in" in user-facing messages and "authenticate" in developer notes.
  • Use "session expired" instead of "unauthorized" for retail users.
  • Keep OTP, MPIN, and TOTP distinct. Do not call all three "auth code".
  • Never show raw backend responses as the main user message.
  • Use "user", "account", or "session" instead of "client" unless referring to SDK client code.
  • Mask sensitive values before logging or sharing with support.
NEO Assistant