How do I fix the tracking failure ‘Request was not authenticated but should have’
The error, ‘Request was not authenticated but should have’ occurs when sending a tracking request with parameters that require authentication, but no valid token_auth
was provided.
This can happen in the following cases:
- The request includes sensitive fields such as
cip
(visitor IP) orcdt
(custom timestamp) that require authentication.` - A token was provided but incorrectly configured or marked as Only allow secure requests when used in an unsupported context (e.g. GET requests). This option is enabled/disabled in Matomo settings (Administration)
> Personal > Security.
- The request comes from a mobile SDK and includes a cdt value that is too far back in the past.
The sections below explain how to resolve these issues.
Include a valid authentication token
To use sensitive tracking parameters like cip
or cdt
, your request must include a valid token_auth
from a user with at least write permission. Make sure the token hasn’t changed or been copied incorrectly. If needed, generate a new token_auth.
Late tracking from mobile SDKs
If you’re sending tracking data from a mobile app (e.g. using the Matomo iOS or Android SDK), you could see this error when a request includes a cdt
timestamp that is more than one day old.
By default, Matomo accepts custom timestamps up to one day in the past. Matomo On-Premise users can extend this window by updating the server configuration in config.ini.php
:
[Tracker]
tracking_requests_require_authentication_when_custom_timestamp_newer_than = 864000;
If you are using Matomo Cloud, contact the support team to request the change to your configuration.
Understanding token behaviour with GET vs POST requests
When using the Matomo API for tracking or reporting, the way you send the token_auth
affects whether authentication succeeds. The behaviour differs depending on whether your requests use GET
or POST
.
GET requests
The token is sent in the URL query string and it is not encrypted. Do not enable the option, Only allow secure requests, for tokens used in GET tracking requests. This is especially important when using integrations such as WooCommerce, Matomo for WordPress, or Looker Studio, which send tracking or reporting requests via GET
.
If the token is marked as secure only, Matomo will ignore it in GET-based or non-HTTPS requests, and the request will fail to authenticate.
POST requests
The token is sent securely in the request body (assuming HTTPS) and you can safely enable these tokens as Only allow secure requests in Matomo.
Matching your token settings to the request method ensures secure and reliable authentication, especially when working with external plugins and integrations.