Unable to login 400 Bad Request: Auth-Email header invalid.

[jjmmfi]

A few months back, I updated from lets say 2025.5 to 2025.8 version w/ BitBetter update. I think that was when they moved to GitHub Container Registry. All containers seem to be up and running, but I am getting this error 400 bad request on all clients are unable to log in after I type my password. Passkey login says incorrect passkey. Currently, I have the latest build of BitBetter (just cloned the repo) and Bitwarden with the instructions. Same with all web clients, browser extentions and mobile apps. I have had it work for 2 years.

400 bad request {"error":"invalid_grant","error_description":"Auth-Email header invalid."}

I am using Cloudflare with full strict SSL with server origin certificate, and that has been working for a long time with Bitwarden.

ChatGPT keeps telling me this, but it can't find the source, so not sure if I would believe it.
In newer Bitwarden versions (2025+), they tightened auth validation:
The email used for login must be present in the headers
Proxies must forward headers exactly

[jjmmfi]

Also, I have this in the identity Docker container logs . webauth and one browser extention not working to login can be seen there but it does not log anything about web interface or local app login attempts:

fail: Duende.IdentityServer.Validation.TokenRequestValidator[0]
=> SpanId:42fc0b30ed81e266, TraceId:f92710f8934565a602df1f830ed89d85, ParentId:0000000000000000 => ConnectionId:0HNJ205646N63 => RequestPath:/identity/connect/token RequestId:0HNJ205646N63:00000001 => IpAddress:136.33.150.212 UserAgent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36 DeviceType:9 Origin:9 ClientVersion:2026.1.0
Invalid extension grant { error = invalid_grant }, details: {
"ClientId": "web",
"GrantType": "webauthn",
"Scopes": "api offline_access",
"AuthorizationCode": "",
"RefreshToken": "",
"Raw": {
"scope": "api offline_access",
"client_id": "web",
"deviceType": "9",
"deviceIdentifier": "ab791dde-e0cc-4f5b-ab9d-a535e221a88c",
"deviceName": "chrome",
"grant_type": "webauthn",
"token": "BWWebAuthnLoginAssertionOptions_CfDJ8Gbvr3k9LUlLrgXQAFy2yHypJ0zKYL7J6cYv3z1qMwUsgYEH0fxhhlIuIrtJuLv9afni3eg2G0yjIcJJQ5ET54XIQM1EmbGO1NbOLGwOLzgVezUXtLMVseWrdFB3Jn3iMI3PzSuFHoDGenppJxlDPUXgIYnCX0S7MqfFvkgOBHdcQHEF9upp_JXVE7Gg6tRbbWAmQvkbxyk-w3lrOzveQYWffWiAvllkK4fQYSXMb9h86pnBGnsNUO2EvEwBA-b7t3GF1raEkFoCBeoUgloAsMYkUfIGFWXct4syBbiEdnomCkzu9CzyYHk77LHf7JqG-6KgQVcPiSnbEPFZzAoCObotX_AImKZHcai4R__iYsKvNA05-ll1je3PD2k67bZbnr9YJhF0ibqT7bf1zvs7WiqeVCWE_r_kE_onnB5gOjwpA12mdoOtV0S6puCwL-8TIslPzDCpy2CkdweeDn73_HGWX-3sy_2hptLHhje8NF5_",
"deviceResponse": "{\u0022id\u0022:\u0022huoezVxlFQC6Hj0FvGXEjqZlF5w\u0022,\u0022rawId\u0022:\u0022huoezVxlFQC6Hj0FvGXEjqZlF5w\u0022,\u0022type\u0022:\u0022public-key\u0022,\u0022extensions\u0022:{},\u0022response\u0022:{\u0022authenticatorData\u0022:\u00226WlK2uZpi9ssEVaNVbKSUYdArM34646GtVgKfcfjkl0dAAAAAA\u0022,\u0022signature\u0022:\u0022MEUCIQCX6Cl5r9LL3O5_cmreFYq5d8J6LahBCwDHdbGe6jc-pgIgZCQnVn8eX7i5u5DJKTqa95JdzBTLmHPGOZbW6nav4_Y\u0022,\u0022clientDataJSON\u0022:\u0022eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoiQ284SDA0NjRBSkF2ZXZBNVpCWWlyZyIsIm9yaWdpbiI6Imh0dHBzOi8vYi5qbW0uZmkiLCJjcm9zc09yaWdpbiI6ZmFsc2V9\u0022,\u0022userHandle\u0022:\u0022grTOFZhny0C7YrCFAIMhQw\u0022}}"
}
}
warn: Duende.IdentityServer.Hosting.CorsPolicyProvider[0]
=> SpanId:14324c0c75ad9121, TraceId:962a1c2e893b4cab483db0431cbbc4a8, ParentId:0000000000000000 => ConnectionId:0HNJ205646N6L => RequestPath:/identity/connect/token RequestId:0HNJ205646N6L:00000001 => IpAddress:136.33.150.212 UserAgent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36 DeviceType:2 Origin:2 ClientVersion:2025.12.1
CorsPolicyService did not allow origin: chrome-extension://nngceckbapebfimnlniiiahkandclblb
warn: Duende.IdentityServer.Hosting.CorsPolicyProvider[0]
=> SpanId:7a70ad0b0ed5bba0, TraceId:453d8127909e1b02f2c702479b9fa14c, ParentId:0000000000000000 => ConnectionId:0HNJ205646N6M => RequestPath:/identity/connect/token RequestId:0HNJ205646N6M:00000001 => IpAddress:136.33.150.212 UserAgent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36 DeviceType:2 Origin:2 ClientVersion:2025.12.1
CorsPolicyService did not allow origin: chrome-extension://nngceckbapebfimnlniiiahkandclblb