Invalid Derivation Origin

I followed this guide: How to Deploy Your First Canister Smart Contract Using the NNS Dapp | by DFINITY | The Internet Computer Review | Medium for deploying a canister and was able to deploy 3 canisters successfully.

As part of my token deployment params, I marked my nns principal as being the owner of the token with a starting balance. I can see the balance is correct in the Candid UI.

I want to interact with the canister so I click login, expecting to be prompted to connect with my nns account.

Instead I get an Invalid Derivation Origin error:

Invalid Derivation Origin
"" is not a valid derivation origin for ""
Error details:
An error occurred while validating the derivationOrigin "": Failed to fetch

How can I connect my nns account to login to the Candid UI?
Are there settings I need to set when deploying the canister?


Hi @nolma

You are hitting a special case here which is related to principal derivation on Internet Identity. Normally Internet Identity hands out different principals for each application. There is a feature however, to have two applications with different URLs use the same principal. It is called alternative origins and is documented here.

Apparently, candid UI now supports that feature (very useful for debugging), which means it is able to use the same principal as you would have on your own front-end given you grant it the permission to do so. The error you see here, is because you are currently not granting it the permission.

To grant it the permission, simply host a file in your canister using the path /.well-known/ii-alternative-origins and add the following content:

  "alternativeOrigins": [""]

Be aware of the consequences though: This allows the Candid UI canister a4gq6-oaaaa-aaaab-qaa4q-cai to use the same principals as you get on your front-end ( It can therefore impersonate your front-end, which would be really bad if it were to turn malicious (I don’t know who controls a4gq6-oaaaa-aaaab-qaa4q-cai). Remove the entry from the /.well-known/ii-alternative-origins file before associating anything of value with the user principals from your front-end.

You should also be able to deploy your own candid UI to mainnet if you don’t trust a4gq6-oaaaa-aaaab-qaa4q-cai. @Severin: What would be the easiest way to do so?


The easiest way to deploy your own Candid UI is to clone this folder, delete canister_ids.json (so dfx doesn’t try to deploy to the ‘official’ Candid UI, and then deploy the project for yourself

1 Like


If your canister is written in Motoko, here’s what you need to add for it to work with Candid UI login.

If you are not using the http_request function for fast certified queries, you can add the upgrade = ?true; field in the response and serve the alternativeOrigin file from http_request_update, see example