mining.authorize Invalid Credentials — Pool-Side Reject

Match username to the pool family. Solo / address-auth pools (`solo.ckpool.org`, `public-pool.io`, `pool.ocean.xyz`, `pool.d-central.tech`): username must be a fresh on-chain BTC address (`bc1q`, `3`, or `1` prefix) — NO Lightning addresses, no email, no usernames. Pooled stratum (`stratum.antpool.com`, `btc.f2pool.com`, Braiins Pool): username must be `<registered_account>.<workername>` exactly as configured in the pool dashboard. Save, reboot the miner, watch the dashboard — pool status should flip to Connected/Alive within 30 seconds and stay.

Sanitize the Pool URL / Stratum URL field. Remove any `stratum+tcp://`, `https://`, `http://`, leading or trailing whitespace, or trailing slash. Field must contain only a bare hostname (e.g. `stratum.antpool.com` or `public-pool.io`). Save and reboot. The miner's stratum-connect log should now show `Connected to <host>:<port>` cleanly without DNS resolution errors.

Switch to the canonical control pool for your hardware class. Bitaxe / Nerd family → `public-pool.io:21496` with your BTC address as username and `x` as password. Antminer / Whatsminer / Avalon (BTC SHA-256) → register a free Braiins Pool account at braiins.com/pool and connect there as `<account>.<worker>`. If auth succeeds on the control pool, the original pool has a policy / ToS / geo issue; if it fails on both, the username string itself is the problem.

Strip the worker suffix and retry with username only. Remove everything from the first `.` onward in the username field so it contains just the raw username (BTC address for solo pools, account name for pooled stratum). Some pools silently reject malformed worker suffixes (emojis, spaces, slashes, mixed case). If auth now succeeds, re-add the suffix using only `[a-z0-9-]` characters.

Factory reset and reconfigure from a clean state. Antminer: hold the reset button on the control board for 5+ seconds. Whatsminer: rear button or MinerTool reset. AxeOS / Bitaxe: Settings → System → Reset Settings. Re-enter WiFi and pool config by typing (NOT pasting from a PDF — PDFs embed zero-width Unicode). Reboot. Eliminates lingering corruption and silent character bugs.

Confirm network reachability from a laptop. `ping <pool-host>` for sub-200 ms responses, then `nc -v <pool-host> <port>` (Linux/macOS) or `telnet <pool-host> <port>` (Windows). You should see `Open` / `Connected to ...`. If this fails, the problem is network/DNS/firewall, not credentials. If it succeeds, the network is fine and the issue is credential-side.

Manual stratum handshake from the laptop. With `nc <pool-host> <port>` open, paste `{"id":1,"method":"mining.subscribe","params":["test/1.0"]}` then newline, then `{"id":2,"method":"mining.authorize","params":["YOUR_USERNAME","x"]}` then newline. Read the JSON response. The pool's raw error string (`bad-user-name`, `worker-not-found`, `address-not-supported`, `account-banned`, `geographic-restriction`) tells you exactly which root-cause bucket you are in — far more verbose than the miner UI.

Cross-validate the address against a block explorer API for solo / address-auth pools: `curl https://mempool.space/api/address/<YOUR_BTC_ADDRESS>`. A valid address returns JSON; a malformed one 404s. If 404, the address is bad — generate a fresh receive address from Sparrow Wallet, Electrum, or a hardware wallet and use that. For pooled stratum, log into the pool dashboard and confirm the account name and worker name exactly match what you typed in the miner.

Check the pool's status / announcements page. Production pools log migrations, port changes, and policy updates publicly — Braiins Pool status, F2Pool announcements, Antpool notice page. A pool that quietly migrated from V1-only to V2-only on a known date will produce auth failures for every V1 miner the day of the migration. Match the date of your auth failure against the pool's recent announcements before going deeper.

Capture the full TCP stream with tcpdump or Wireshark. Run `tcpdump -i <iface> -w stratum.pcap host <pool-host>` on the LAN, reboot the miner, capture 60 seconds across one full connect-fail-reconnect cycle, then open the .pcap in Wireshark and Follow → TCP Stream. You see the literal bytes the miner sent and the literal bytes the pool returned — UTF-8 vs ASCII issues, JSON whitespace, escape bugs, and any TLS interception by corporate firewalls all become visible.

Build firmware with verbose stratum logging. ESP-Miner: clone github.com/bitaxeorg/ESP-Miner, enable DEBUG-level logging in stratum_api.c, flash. Braiins OS+ on Antminer: enable bosminer debug logging in the config. DCENT_OS: enable verbose stratum logging via the firmware's debug panel. Reproduce the auth fail and read the line-by-line TX/RX. File a GitHub issue against the firmware project if you confirm a parser bug.

For username-only pools (Kano-style) running ESP-Miner-NerdQAxePlus: fork the firmware and rewrite the mining.authorize builder to submit `<registered_username>.<workername>` instead of `<btc_address>.<workername>`. Issue #501 in shufps/ESP-Miner-NerdQAxePlus tracks this. Until merged, the workaround is a custom build or a swap to an address-auth solo pool.

Pool-side log analysis (if you operate the pool). For self-hosted ckpool, public-pool, MiningCore, NOMP, BTCPool, or Braiins-Farm-Proxy: set the logger to DEBUG, reproduce the rejection, read the verdict. The server log explicitly tells you why each `mining.authorize` was rejected — the most direct diagnosis available, and the right tool for a private-pool / farm operator.

On Antminer hardware specifically: flash DCENT_OS — D-Central's open-source Antminer firmware. DCENT_OS exposes per-pool stratum state on the dashboard (subscribe / configure / authorize state machine, last error string from the pool, retry timer, reconnect cause) — visibility that stock Bitmain firmware hides. Alternatives with similar visibility: Braiins OS+, LuxOS, Vnish. Note: DCENT_OS support for Whatsminer / Avalon is on D-Central's roadmap but not yet shipping; for those platforms use the manufacturer's native firmware or LuxOS / Braiins OS+.

Firmware regression check. If auth used to work and stopped after a firmware update, roll back one version. ESP-Miner: re-flash a previous release via OTA from bitaxeorg/ESP-Miner releases. Antminer stock: roll back via Bitmain's downloads portal. Antminer DCENT_OS / Braiins OS+: check the firmware's changelog for stratum-handler changes between releases. Whatsminer Btminer: roll back via MinerTool's firmware utility. Observe 30 minutes on the rolled-back firmware before re-testing.

Stop DIY and escalate. If username is validated against the pool's format, URL is clean, port matches docs, alternate pool authorizes cleanly, and Wireshark confirms a well-formed mining.authorize going out with `result: false` coming back — open a D-Central support ticket at d-central.tech/contact/ with the captured .pcap, firmware version, hardware revision, pool URL + port, and the exact username (redact the suffix if you prefer). For confirmed firmware bugs, file the same package on the firmware project's GitHub issue tracker.

What D-Central does at Tier 4. Cross-references config patterns across thousands of customer setups; usually identifies the failing field within one ticket from a screenshot of the miner's pool config. For Antminer-class miners: recommends a flash to DCENT_OS to expose stratum state cleanly, then re-tests auth from a clean firmware state. For Bitaxe / Nerd: cross-checks against the D-Central Bitaxe Troubleshooting Guide and walks the AxeOS Settings page field-by-field.