Registration fails with: [403] AuthorizationFailedException

[exquo]

Trying to register any number:

❯ signal-cli -a +12345678901 register --captcha 'signalcaptcha://signal-hcaptcha.5fad97ac-7d06-4e44-b18a-b950b20148ff.registration.P1_…'

Failed to register: [403] Authorization failed! (AuthorizationFailedException)

The long URL signalcaptcha://… is from https://signalcaptchas.org/registration/generate.html. (Trying a captcha from https://signalcaptchas.org/challenge/generate.html, get Invalid captcha given).

Registering on Android the same number from the same IP succeeds - the verification code gets sent.

Output of the above command in verbose mode (signal-cli -v …):

2025-06-08T10:34:26.117Z [main] DEBUG org.asamk.signal.App - Starting signal-cli 0.13.16
2025-06-08T10:34:27.573Z [main] DEBUG org.asamk.signal.util.IOUtils - XDG_DATA_HOME not set, falling back to home dir
2025-06-08T10:34:28.126Z [main] INFO  com.zaxxer.hikari.HikariDataSource - HikariPool-1 - Starting...
2025-06-08T10:34:28.301Z [main] INFO  com.zaxxer.hikari.pool.HikariPool - HikariPool-1 - Added connection org.sqlite.jdbc4.JDBC4Connection@1f2f9244
2025-06-08T10:34:28.303Z [main] INFO  com.zaxxer.hikari.HikariDataSource - HikariPool-1 - Start completed.
2025-06-08T10:34:31.765Z [main] INFO  com.zaxxer.hikari.HikariDataSource - HikariPool-1 - Shutdown initiated...
2025-06-08T10:34:31.770Z [main] INFO  com.zaxxer.hikari.HikariDataSource - HikariPool-1 - Shutdown completed.
Failed to register: [403] Authorization failed! (AuthorizationFailedException)
org.whispersystems.signalservice.api.push.exceptions.AuthorizationFailedException: [403] Authorization failed!
    at org.whispersystems.signalservice.api.NetworkResultUtil.toBasicLegacy(NetworkResultUtil.kt:73)
    at org.asamk.signal.manager.util.Utils.handleResponseException(Utils.java:158)
    at org.asamk.signal.manager.util.NumberVerificationUtils.submitCaptcha(NumberVerificationUtils.java:180)
    at org.asamk.signal.manager.util.NumberVerificationUtils.handleVerificationSession(NumberVerificationUtils.java:79)
    at org.asamk.signal.manager.internal.RegistrationManagerImpl.register(RegistrationManagerImpl.java:133)
    at org.asamk.signal.commands.RegisterCommand.register(RegisterCommand.java:80)
    at org.asamk.signal.commands.RegisterCommand.handleCommand(RegisterCommand.java:51)
    at org.asamk.signal.commands.CommandHandler.handleRegistrationCommand(CommandHandler.java:33)
    at org.asamk.signal.App.handleRegistrationCommand(App.java:268)
    at org.asamk.signal.App.handleCommand(App.java:177)
    at org.asamk.signal.App.init(App.java:147)
    at org.asamk.signal.Main.main(Main.java:56)

This is with the latest version of signal-cli (0.13.16), but the results are the same with the previous version.

Is there a way to troubleshoot this further?

[AsamK]

The same error has been reported here: #1491 (comment)

Signal-Android by default doesn't use the captcha, but some different google play services based approach.
I can only reproduce the 403 error, when using the same captcha code twice. The first time registration works, the second time I get the 403 error.
So not sure what's going wrong here. You could try it from another IP address, with another phone number or have a look at the Signal-Server source code what could trigger a 403 response. 😅

[exquo]

Looking at the Signal-Server source, the relevant code appears to be in VerificationController.java, particularly the /session/{sessionId} API endpoint, which has among its responses:

@ApiResponse(responseCode = "403", description = "The information provided was not accepted (e.g push challenge or captcha verification failed)")

It also invokes checkVerificationAttempt() from spam/RegistrationFraudChecker.java, which can throw a ForbiddenException (that I believe results in the same 403 response code). This makes it uncertain whether AuthorizationFailed happens due to an incorrect submitted captcha code, or to a suspected spam / abuse blocking. I think the abuse blocking mechanism of signal-server is not open-sourced, so we don't know for sure which factors influence it.

Other Singal-Server files that might be relevant here: controllers/RegistrationController.java; auth/PhoneVerificationTokenManager.java.

I have experimented with registering various phone numbers from different IPs, but so far have not discerned a clear pattern. The same number can give AuthFailed, succeed an hour later, and then give AuthFailed an hour later again (holding constant everything else, like the IP address). Numbers that one would expect to be "effectively the same", like +xxxxxxxxx01, +xxxxxxxxx02, …, succeed for some of them and fail for others (again, with other "parameters" held constant).

Some other factors that don't appear to make a difference:

• Landline vs mobile numbers (for countries that have this distinction)
• Whether a phone number matches the country of the IP address
• Using a different browser to solve the captcha (on an off-chance its user-agent gets embedded in the captcha code)

Some numbers (or even the whole country codes) do appear likelier to succeed than others, though.

I can only reproduce the 403 error, when using the same captcha code twice. The first time registration works, the second time I get the 403 error.

Maybe by the second attempt the original registration session had been closed (expired, or registered successfully)? By then the captcha would expire also, and would be rejected with 403 as any other "wrong" captcha.
In my experiments, if the verification code gets sent successfully, then running register shortly after on the same number works with any* captcha, or even with no captcha at all.
*As long as the captcha string still conforms to the pattern signalcaptcha://signal-hcaptcha.5fad97ac-7d06-4e44-b18a-b950b20148ff.registration.WHATEVER_HERE; and the second attempt is made after some time (~15 seconds ?), to avoid being rate-limited.

Signal-Android by default doesn't use the captcha, but some different google play services based approach.

There is a "push challenge" in VerificationController referenced above; looks like it can be used instead of, or together with a captcha. FWIW I've used an Android phone with no Google services installed, so the captcha must have been the only verification method available.

To sum up: so far, it's not yet clear under what circumstances register returns Authorization Failed, and how to resolve it..