What causes AuthenticationException?

Invalid SASL credentials (wrong username/password) or an expired/invalid token in the JAAS config sasl.mechanism on the client does not match a mechanism enabled on the broker (e.g. client SCRAM-SHA-256 vs broker PLAIN) security.protocol mismatch (PLAINTEXT vs SASL_SSL) or a missing/incorrect JAAS sasl.jaas.config

How do I fix AuthenticationException?

Verify sasl.jaas.config credentials and that the principal exists (for SCRAM, check kafka-configs.sh --describe --entity-type users) Ensure client sasl.mechanism and security.protocol match the broker's listener configuration Read the exception message — it carries the specific failure reason from the broker's authenticator

Is AuthenticationException retriable?

No — AuthenticationException is not retriable. Retrying the same call will not help; the underlying cause must be fixed first.

Kafka Exception `AuthenticationException`

org.apache.kafka.common.errors.AuthenticationException

Non-retriable Security

This exception indicates that SASL authentication has failed. On authentication failure, clients abort the operation requested and raise one of the subclasses of this exception: SaslAuthenticationException if SASL handshake fails with invalid credentials or any other failure specific to the SASL mechanism used for authentication UnsupportedSaslMechanismException if the SASL mechanism requested by the client is not supported on the broker. IllegalSaslStateException if an unexpected request is received on during SASL handshake. This could be due to misconfigured security protocol. SslAuthenticationException if SSL handshake failed due to any SSLException.

Common Causes

Invalid SASL credentials (wrong username/password) or an expired/invalid token in the JAAS config
sasl.mechanism on the client does not match a mechanism enabled on the broker (e.g. client SCRAM-SHA-256 vs broker PLAIN)
security.protocol mismatch (PLAINTEXT vs SASL_SSL) or a missing/incorrect JAAS sasl.jaas.config

Solutions

Verify sasl.jaas.config credentials and that the principal exists (for SCRAM, check kafka-configs.sh --describe --entity-type users)
Ensure client sasl.mechanism and security.protocol match the broker's listener configuration
Read the exception message — it carries the specific failure reason from the broker's authenticator

Example Stack Trace

org.apache.kafka.common.errors.AuthenticationException: Authentication failed during authentication due to invalid credentials (the concrete subclass is usually SaslAuthenticationException or SslAuthenticationException)

Diagnostic Commands

# List configured SCRAM users on the broker
kafka-configs.sh --bootstrap-server localhost:9092 --describe --entity-type users

Hitting AuthenticationException in production? Conduktor Console gives you real-time visibility into clients, consumer groups, and broker health. Browse every Kafka exception or protocol error code.

Kafka Exception AuthenticationException

Common Causes

Solutions

Example Stack Trace

Diagnostic Commands

Related

Kafka Exception `AuthenticationException`