Cursor "Authentication failed": 5 causes in diagnostic order

Cursor shows "Authentication failed" or silently logs you out when its auth token can't be validated against the Cursor backend. This usually happens after a token expiry, a network change, or a credential cache corruption — not because your account has a problem. This page covers all five causes in the order you should check them, with exact fix steps for each.

What the error looks like

Cursor surfaces authentication failures in a few different ways depending on where in the auth flow the failure occurs:

• A red toast notification: "Authentication failed. Please sign in again."
• The account panel in Settings showing your email with a warning icon and a "Sign in" button
• All AI features returning "Not signed in" or refusing to complete requests
• The status bar showing no model indicator where one was previously shown

In all cases the root cause is the same: Cursor can't produce a valid session token for its API calls.

Cause 1: Expired auth token (most common)

Cursor issues session tokens with a finite lifetime. If Cursor is closed for an extended period or the system clock drifts significantly, the token may expire before silent renewal succeeds. This is the most common cause of unexpected logouts that aren't triggered by any user action.

Fix:

1. Open Cursor → Settings (gear icon) → Account.
2. Click Sign out.
3. Restart Cursor completely (quit and reopen, not just close the window).
4. Sign back in. If you see a browser window open for the OAuth flow, complete it fully — don't close it before it redirects back to Cursor.

Cause 2: Proxy or VPN blocking the OAuth callback

Corporate proxies that perform TLS inspection (SSL bump / man-in-the-middle) can intercept Cursor's OAuth token exchange. The login page loads, you authenticate, but the callback URL that delivers the token back to Cursor is intercepted and the handshake fails silently.

Domains Cursor needs unrestricted HTTPS access to:

cursor.sh
api2.cursor.sh
api.cursor.sh
# Plus the OAuth provider you use:
github.com         (GitHub login)
accounts.google.com (Google login)

Fix: ask your network admin to whitelist these domains for TLS pass-through, or temporarily disable your VPN while authenticating, then reconnect after you have a valid session. Once the token is cached, most VPN configurations won't interfere with the renewal requests.

Cause 3: Corrupted OS keychain / credential cache

Cursor stores auth tokens in the OS keychain (macOS Keychain Access, Windows Credential Manager, libsecret on Linux). After certain OS updates or Cursor version upgrades, the stored token format can become unreadable — Cursor can't decrypt the stored token and fails silently, showing the auth error rather than a clear "can't read keychain" message.

Fix — macOS:

1. Open Keychain Access (Applications → Utilities).
2. Search for cursor in the search bar.
3. Delete all Cursor entries.
4. Restart Cursor and sign in again.

Fix — Windows:

1. Open Credential Manager (Control Panel → User Accounts → Credential Manager).
2. Click Windows Credentials.
3. Remove any entries starting with cursor.
4. Restart Cursor and sign in again.

Fix — Linux:

rm -rf ~/.config/Cursor/Local\ Storage/
rm -rf ~/.config/Cursor/Session\ Storage/
# Then restart Cursor

Cause 4: SSO / enterprise IdP session expired

If your Cursor account is linked to a company SSO (via GitHub Enterprise, Google Workspace, or a SAML IdP), Cursor's token is backed by the upstream IdP session. When that IdP session expires — typically after 8–24 hours depending on your org's policy — Cursor can't renew its token silently and shows "Authentication failed."

Fix:

1. Sign out of Cursor.
2. Open your IdP portal (e.g., Okta, Azure AD, Google Workspace) in a browser and verify you're signed in there first.
3. Return to Cursor and sign in. The OAuth flow will pick up your active IdP session without requiring you to re-enter credentials.

Cause 5: Cursor version mismatch after update

Cursor ships frequent updates that can change how auth tokens are structured or how the keychain is accessed. Updating Cursor without fully restarting (e.g., applying an update while a window is still open) can leave old auth state that the new version can't parse.

Fix:

1. Quit Cursor completely — on macOS, Cmd+Q, not just closing the window.
2. Wait 10 seconds, then reopen Cursor.
3. If still failing, sign out, clear the keychain (Cause 3 steps above), and sign in fresh.

How to verify your session is active after fixing

After re-authenticating, confirm the session is valid before assuming the fix worked:

• Open Settings → Account — your email should appear without a warning icon.
• Open a file and trigger a Cursor Tab or Cmd+K completion — if you see AI output, the session is live.
• Check the model indicator in the status bar — it should show a model name (e.g., "claude-sonnet" or "gpt-4o"), not "Not signed in".

FAQ

Does signing out of Cursor delete my settings or keybindings? No. Signing out only removes the auth token. All settings, extensions, keybindings, and custom rules are stored locally and are unaffected.

I signed in successfully but the auth error returns after a few hours. Why? This usually means the token renewal is being blocked — typically by a VPN or proxy (Cause 2) that allows the initial login but blocks background refresh requests. Check whether the issue correlates with connecting to a VPN.

Can I use Cursor with a personal account at work even if my company has a Cursor Business account? Yes, but your personal account's session is independent. If your machine is managed, a corporate MDM profile may restrict the OAuth callback domains — see Cause 2.

Related

• GitHub Copilot not showing in VS Code: 6 causes & fixes
• Claude Code permission denied: what it means & how to fix it
• Cursor vs GitHub Copilot: which is better for your workflow?

Last updated June 2026. Verified against Cursor's current auth flow and macOS/Windows/Linux credential stores.