Troubleshooting

This occurs when the request signature doesn't match the server's calculation.

• Verify your client_secret matches the value in the admin panel
• Ensure the timestamp in X-Timestamp is within 5 minutes of server time
• The signature payload must be: timestamp + "." + body
• Check for encoding differences — use UTF-8 consistently

Accounts are locked after 5 failed login attempts.

• Wait 30 minutes for automatic unlock
• Ask an admin to manually unlock from Admin Panel → Users
• The response includes remaining_minutes until auto-unlock

Usually caused by clock skew between the CAS server and your application.

• Sync server clocks with NTP
• Allow a 60-second tolerance when validating exp claims
• Check the token_ttl configuration value

• Verify the CAS_SERVER_URL environment variable
• Check firewall rules — port 8000 (or your configured port) must be open
• If using Docker, ensure containers are on the same network
• Test connectivity: curl https://your-cas-server.com/api/health

• Ensure your SSL certificate is valid and not expired
• For local development, add the self-signed CA to your trust store
• Verify the certificate covers your domain (check SANs)
• In PHP: set CURLOPT_CAINFO to your CA bundle path

• Check DB_HOST and DB_PORT values
• Verify PostgreSQL is running: pg_isready
• Check max connections: SHOW max_connections;
• Consider connection pooling with PgBouncer for high traffic

Your application is exceeding the rate limit. Check the Retry-After response header.

// Implement exponential backoff
const delay = Math.pow(2, retryCount) * 1000;
await new Promise(r => setTimeout(r, delay));