On Sonatype Nexus Repository CE v3.90.2-06 (docker, linux amd64), with the Terraform Token Realm enabled, and Anonymous Access disabled, I’m unable to authenticate to a terraform repository when appending a base64 encoded version of username:password to the repo’s url (https://<domain>/repository/terraform/v1/providers/<base64>/) as explained in the documentation.

Have tried on both a group and a hosted repository, but the result is the same. Have also tried with a password without any special characters to no luck. Not sure if there’s something else I’m missing, but any help with this would be greatly appreciated!

Hi @OrfeasZ can you confirm if you have enabled the terraform bearer token? Please share config and logs.

Hey @laxmi-st. If by terraform bearer token you mean the Terraform Token Realm, then yes, it’s enabled. I can also see TerraformToken under realmNames in realmConfigurationExport.json.

The configuration is entirely default, and the only thing in nexus.properties is nexus.datastore.enabled=true from the migration to H2.

In the logs, I can see the following after enabling TRACE logging:

2026-04-05 02:07:38,117+0000 TRACE [qtp761406416-5515]  *UNKNOWN org.sonatype.nexus.security.authc.FirstSuccessfulModularRealmAuthenticator - Attempting to authenticate token [org.sonatype.nexus.security.authc.NexusApiKeyAuthenticationToken - TerraformToken (192.168.122.1)] using realm of type [com.sonatype.nexus.repository.terraform.internal.security.TerraformTokenRealm@51c62d81]
2026-04-05 02:07:38,117+0000 TRACE [qtp761406416-5515]  *UNKNOWN org.sonatype.nexus.security.authc.FirstSuccessfulModularRealmAuthenticator - Iterating through [10] realms for PAM authentication
2026-04-05 02:07:38,117+0000 TRACE [qtp761406416-5515]  *UNKNOWN org.sonatype.nexus.security.authc.FirstSuccessfulModularRealmAuthenticator - Realm of type [com.sonatype.nexus.repository.terraform.internal.security.TerraformTokenRealm@51c62d81] does not support token [org.apache.shiro.authc.UsernamePasswordToken - readonly, rememberMe=false]; skipping realm
2026-04-05 02:07:38,117+0000 TRACE [qtp761406416-5515]  *UNKNOWN org.sonatype.nexus.security.authc.FirstSuccessfulModularRealmAuthenticator - Attempting to authenticate token [org.apache.shiro.authc.UsernamePasswordToken - readonly, rememberMe=false] using realm of type [org.sonatype.nexus.security.internal.AuthenticatingRealmImpl@557a2fe7]
2026-04-05 02:07:38,117+0000 DEBUG [qtp761406416-5515]  *UNKNOWN org.sonatype.nexus.security.internal.DefaultSecurityPasswordService - PHC format invalid, falling back to legacy password service
2026-04-05 02:07:38,119+0000 TRACE [qtp761406416-5515]  *UNKNOWN org.sonatype.nexus.security.authc.FirstSuccessfulModularRealmAuthenticator - Realm [org.sonatype.nexus.security.internal.AuthenticatingRealmImpl@557a2fe7] threw an exception during a multi-realm authentication attempt
org.apache.shiro.authc.IncorrectCredentialsException: Submitted credentials for token [org.apache.shiro.authc.UsernamePasswordToken - readonly, rememberMe=false] did not match the expected credentials.

@laxmi-st Any insight on this?

@OrfeasZ we have tried with the same configuration in CE and don’t see any authentication issues.

here is the .terraformrc sample configuration

Example User and Password: admin/admin123

Base64(admin:admin123) : YWRtaW46YWRtaW4xMjM=

~/.terraformrc

host “registry.terraform.io” {
services = {
“modules.v1” = “https://test.com/repository/terraform-group/v1/modules/YWRtaW46YWRtaW4xMjM=/”,
“providers.v1” = “https://test.com/repository/terraform-group/v1/providers/YWRtaW46YWRtaW4xMjM=/”
}
}

After a lot of head scratching I managed to fix the issue by updating my user’s roles (added one, saved, removed it again, and saved again). Maybe something went wrong during the migration to H2? Not entirely sure, but at least it works now!