Error Code 0000011 — "Not an intended action, proper x-flow-state header must be used"
Article ID: 442426
Updated On:
Products
Symantec Identity Security Platform - IDSP (formerly VIP Authentication Hub)
Issue/Introduction
While executing the Authentication flow, below error is received.
{"errorCode": "0000011","errorMessage": "Not an intended action, proper x-flow-state header must be used"}Environment
Symantec Identity Security Platform - IDSP (formerly VIP Authentication Hub)
Cause
This error is thrown by the AuthManager Service (/auth/v1/) when a request arrives at an authentication step endpoint but the x-flow-state header is either missing, invalid, expired, or does not match the action that the server's flow state machine is currently expecting for that session.
In plain terms: the server knows where it is in the authentication flow for this session, and your request is asking it to do something that is not the next expected step.
Resolution
Root Causes and Remediation
| # | Root Cause | What Happens | Fix |
|---|---|---|---|
| 1 | Missing header | Request to a factor endpoint sent without any x-flow-state header | Always include the x-flow-state header on every call after the initial authorize redirect |
| 2 | Stale / expired token | The flow state has a TTL. Idle sessions or slow clients timeout | Restart the flow from GET /oauth2/v1/authorize or POST /auth/v1/authenticate to get a fresh token |
| 3 | Replayed token | The same flowState value is reused for a second request after it was already consumed by a prior call | Always store and use the latest flowState from the most recent response — never reuse a previous value |
| 4 | Out-of-order step | A step is skipped or called in the wrong order (e.g., calling the OTP factor before the password factor when policy requires password first) | Follow the step sequence dictated by the policy response — the credentials array in the Step 2 response tells you which factor the policy expects next |
| 5 | Token from a different session | Using a flowState obtained in a different browser tab, device, or parallel request | Flow state tokens are session-scoped; they cannot be shared across parallel authentication flows for the same user |
| 6 | Mismatch between action field and flow state | The action value in the request body does not correspond to what the current flow state permits | The action field (authenticate, access) must match the action that was used to initiate the flow |
Feedback
Yes
No
Powered by
