Errors

not_authorized

Sign with the key or origin that owns the target object, then retry

View as Markdown

The signing key is not allowed to perform this call: the coldkey is not associated with the hotkey, the caller is not the subnet owner, the origin is filtered, a proxy lacks permission for this call type, or the call requires a root/sudo origin.

Check which key actually owns the target object and sign with it. for proxy signing, the proxy type must permit the call; for subnet hyperparameters, the signer must be the subnet owner coldkey.

Remediation

Sign with the key or origin that owns the target object, then retry

Chain errors

The exact chain error names (from the extrinsic receipt) that classify to not_authorized; the description says what triggered the failure and where to check. Each name has its own page:

Chain errorDescription
AccountNotAllowedCommitRaised by set_commitment when the runtime commit check fails: the subnet must exist and the signing hotkey must be registered on it. Verify the netuid and that the hotkey has a UID on that subnet.
BeneficiaryDoesNotOwnHotkeyWhen ending a subnet lease, the hotkey passed for the ownership handover is not owned by the lease's beneficiary coldkey. Check the Owner storage for that hotkey and pass a hotkey the beneficiary coldkey actually owns.
CallFilteredThe runtime's origin call filter (e.g. BaseCallFilter or a restricted origin) rejected this call before dispatch. Check whether the specific call is permitted for the origin you used, including any proxy or safe-mode filtering in effect.
CannotUseSystemAccountThe hotkey supplied for registration, hotkey swap, or subnet-owner-hotkey assignment is a reserved subnet system account. Use a regular user-generated hotkey instead; system accounts are derived per-subnet and rejected by is_subnet_account_id.
ColdkeySwapDisputedAll extrinsics from this coldkey are blocked because its pending coldkey swap is under dispute. Check the ColdkeySwapDisputes storage for the coldkey; the dispute must be resolved by root before the account can transact.
CreateOriginNotAllowedA CREATE, or a CALL that performs a nested CREATE, was attempted from an EVM address not permitted to deploy contracts. Check whether the deploying address is in the chain's allowed-deployers list.
ExpectedBeneficiaryOriginA lease operation such as terminating a subnet lease was signed by an account other than the lease's beneficiary coldkey. Check the beneficiary recorded in the SubnetLeases storage for the lease id and sign with that coldkey.
InvalidOriginThe caller is not the crowdloan's creator, which is required for finalize, refund, dissolve, and the update calls. Compare the signing account with the creator field of the Crowdloans entry for the crowdloan_id.
NeuronNoValidatorPermitThe hotkey tried to set weights on other neurons without holding a validator permit on that subnet. Check ValidatorPermit for the neuron's uid (e.g. via the metagraph or btcli subnets metagraph) and whether its stake ranks it as a validator.
NoPermissionThe proxy pallet refused the action: the proxied call could escalate privileges, or the caller lacks authority over the pure proxy (e.g. kill_pure by a non-spawner). Check the proxy type's call filter and the original create_pure arguments.
NonAssociatedColdKeyThe signing coldkey does not own the hotkey it is trying to operate on (stake, swap, serve, children or take changes). Check the Owner storage entry for the hotkey, e.g. via btcli wallet overview, and sign with the coldkey that registered it.
NotAllowedContract deployment was blocked because the source address is not in the WhitelistedCreators list while the whitelist check is enabled. Check the deployer address against WhitelistedCreators and the DisableWhitelistCheck storage value.
NotAuthorizedThe caller is not permitted to manage this preimage; unnoting or unrequesting requires the pallet's manager origin or the account that originally deposited it. Check which origin noted or requested the preimage and use that origin or the configured ManagerOrigin.
NotOwnerOnly the account that opened the multisig operation (its depositor) may cancel it or adjust its deposit. Compare the sender against the depositor field stored in the Multisigs entry for this call hash.
NotProxyThe sender is not registered as a proxy for the account it tried to act for. Check the Proxies entry of the real account and confirm the sender appears there with a proxy type and delay compatible with the call.
NotSubnetOwnerThe signing coldkey is not the recorded owner of the subnet it tried to administer (e.g. setting subnet identity or owner-only hyperparameters). Compare the caller against the SubnetOwner storage entry for that netuid.
RequireSudoThe call requires the sudo key but was signed by a different account. Compare the sender against the account stored in the Sudo pallet's Key storage item.
StateChangeDeniedThe contract invoked a state-modifying host function, such as a storage write, transfer, or value-bearing call, while executing in read-only mode. Check whether the enclosing call was made with the read-only flag or from a static context.
TransactionMustComeFromEOARejected per EIP-3607: the sender address has contract code deployed, and transactions must originate from externally owned accounts. Check eth_getCode for the source address and sign with a plain EOA key instead.
TransactorAccountShouldBeHotKeyThe extrinsic must be signed by the hotkey itself, but a different account (typically the coldkey) was the origin. Check which key signs the transaction; calls like axon serving expect the hotkey as origin.
UnauthorizedIn System, the code passed to apply_authorized_upgrade does not hash to the value in AuthorizedUpgrade. In LimitOrders, the caller is not the order's signer, who alone may cancel it. Check the code hash against the authorization, or the sender against the order's signer.
UnproxyableThe attempted call is not permitted by the registered proxy type's call filter. Check which proxy_type the sender holds in the real account's Proxies entry and whether that type's InstanceFilter allows this specific call.

The same explanation is available in the terminal: btcli explain not_authorized (or btcli explain <ChainErrorName> for one exact chain error).