Failed to Authenticate Connection

A player is kicked with 'Failed to verify username' or 'Failed to authenticate your connection'. The server runs in online mode and could not validate the player's account against Mojang/Microsoft's session servers.

What does this error mean?
In online mode the server checks each login with the official session servers. This failure means that check did not succeed, commonly during an auth outage, or, behind a proxy, when IP forwarding is not configured so the backend cannot verify the player. 
Failed to verify username! / Failed to authenticate your connection
Most Common Causes
  • A temporary Mojang/Microsoft authentication outage.
  • A proxy (BungeeCord/Velocity) without correct IP forwarding to the backend.
  • The backend in online mode while sitting behind a proxy (should be offline + forwarding).
  • A mismatched forwarding secret (modern forwarding / BungeeGuard).
  • A client-side session problem.
How To Diagnose
  1. Check whether everyone is affected (suggests an outage or proxy config) or just one player.
  2. Look at the Mojang/Microsoft status pages.
  3. If using a proxy, verify forwarding mode and secret match on both sides.
  4. Confirm online-mode settings are correct for your topology.
Recommended Fixes
  • Wait out an auth outage
    If Mojang/Microsoft auth is down, the fix is to wait, nothing is misconfigured locally.
  • Configure proxy forwarding
    On BungeeCord/Velocity, enable IP forwarding and set the matching secret on each backend.
  • Set online-mode correctly
    Behind a proxy, backends run offline mode with secure forwarding, never plain offline mode exposed publicly.
  • Match the forwarding secret
    Ensure the Velocity modern-forwarding / BungeeGuard secret is identical on proxy and backends.
Analyze My Log
Frequently Asked Questions

No, invalid session is a client-side login issue. This is the server failing to verify the account, often a proxy/outage matter.

Without proper IP forwarding, the backend cannot confirm the player's identity, so authentication fails.

Behind a proxy, backends use offline mode with secure forwarding so only the proxy authenticates, never exposed offline directly.