# not_authorized (/docs/errors/not-authorized)

The signing key is not allowed to perform this call: the coldkey is not associated with the hotkey, the caller is not the subnet owner, the origin is filtered, a proxy lacks permission for this call type, or the call requires a root/sudo origin.

Check which key actually owns the target object and sign with it. for proxy signing, the proxy type must permit the call; for subnet hyperparameters, the signer must be the subnet owner coldkey.

## Remediation [#remediation]

Sign with the key or origin that owns the target object, then retry

## Chain errors [#chain-errors]

The exact chain error names (from the extrinsic receipt) that classify to `not_authorized`; the description says what triggered the failure and where to check. Each name has its own page:

| Chain error                                                                             | Description                                                                                                                                                                                                                                                                           |
| --------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [`AccountNotAllowedCommit`](/docs/errors/chain/AccountNotAllowedCommit)                 | Raised by `set_commitment` when the runtime commit check fails: the subnet must exist and the signing hotkey must be registered on it. Verify the `netuid` and that the hotkey has a UID on that subnet.                                                                              |
| [`BeneficiaryDoesNotOwnHotkey`](/docs/errors/chain/BeneficiaryDoesNotOwnHotkey)         | When ending a subnet lease, the hotkey passed for the ownership handover is not owned by the lease's beneficiary coldkey. Check the `Owner` storage for that hotkey and pass a hotkey the beneficiary coldkey actually owns.                                                          |
| [`CallFiltered`](/docs/errors/chain/CallFiltered)                                       | The runtime's origin call filter (e.g. `BaseCallFilter` or a restricted origin) rejected this call before dispatch. Check whether the specific call is permitted for the origin you used, including any proxy or safe-mode filtering in effect.                                       |
| [`CannotUseSystemAccount`](/docs/errors/chain/CannotUseSystemAccount)                   | The hotkey supplied for registration, hotkey swap, or subnet-owner-hotkey assignment is a reserved subnet system account. Use a regular user-generated hotkey instead; system accounts are derived per-subnet and rejected by `is_subnet_account_id`.                                 |
| [`ColdkeySwapDisputed`](/docs/errors/chain/ColdkeySwapDisputed)                         | All extrinsics from this coldkey are blocked because its pending coldkey swap is under dispute. Check the `ColdkeySwapDisputes` storage for the coldkey; the dispute must be resolved by root before the account can transact.                                                        |
| [`CreateOriginNotAllowed`](/docs/errors/chain/CreateOriginNotAllowed)                   | A CREATE, or a CALL that performs a nested CREATE, was attempted from an EVM address not permitted to deploy contracts. Check whether the deploying address is in the chain's allowed-deployers list.                                                                                 |
| [`ExpectedBeneficiaryOrigin`](/docs/errors/chain/ExpectedBeneficiaryOrigin)             | A lease operation such as terminating a subnet lease was signed by an account other than the lease's beneficiary coldkey. Check the beneficiary recorded in the `SubnetLeases` storage for the lease id and sign with that coldkey.                                                   |
| [`InvalidOrigin`](/docs/errors/chain/InvalidOrigin)                                     | The caller is not the crowdloan's creator, which is required for `finalize`, `refund`, `dissolve`, and the update calls. Compare the signing account with the `creator` field of the `Crowdloans` entry for the `crowdloan_id`.                                                       |
| [`NeuronNoValidatorPermit`](/docs/errors/chain/NeuronNoValidatorPermit)                 | The hotkey tried to set weights on other neurons without holding a validator permit on that subnet. Check `ValidatorPermit` for the neuron's uid (e.g. via the metagraph or `btcli subnets metagraph`) and whether its stake ranks it as a validator.                                 |
| [`NoPermission`](/docs/errors/chain/NoPermission)                                       | The proxy pallet refused the action: the proxied call could escalate privileges, or the caller lacks authority over the pure proxy (e.g. `kill_pure` by a non-spawner). Check the proxy type's call filter and the original `create_pure` arguments.                                  |
| [`NonAssociatedColdKey`](/docs/errors/chain/NonAssociatedColdKey)                       | The signing coldkey does not own the hotkey it is trying to operate on (stake, swap, serve, children or take changes). Check the `Owner` storage entry for the hotkey, e.g. via `btcli wallet overview`, and sign with the coldkey that registered it.                                |
| [`NotAllowed`](/docs/errors/chain/NotAllowed)                                           | Contract deployment was blocked because the source address is not in the `WhitelistedCreators` list while the whitelist check is enabled. Check the deployer address against `WhitelistedCreators` and the `DisableWhitelistCheck` storage value.                                     |
| [`NotAuthorized`](/docs/errors/chain/NotAuthorized)                                     | The caller is not permitted to manage this preimage; unnoting or unrequesting requires the pallet's manager origin or the account that originally deposited it. Check which origin noted or requested the preimage and use that origin or the configured `ManagerOrigin`.             |
| [`NotOwner`](/docs/errors/chain/NotOwner)                                               | Only the account that opened the multisig operation (its depositor) may cancel it or adjust its deposit. Compare the sender against the `depositor` field stored in the `Multisigs` entry for this call hash.                                                                         |
| [`NotProxy`](/docs/errors/chain/NotProxy)                                               | The sender is not registered as a proxy for the account it tried to act for. Check the `Proxies` entry of the `real` account and confirm the sender appears there with a proxy type and delay compatible with the call.                                                               |
| [`NotSubnetOwner`](/docs/errors/chain/NotSubnetOwner)                                   | The signing coldkey is not the recorded owner of the subnet it tried to administer (e.g. setting subnet identity or owner-only hyperparameters). Compare the caller against the `SubnetOwner` storage entry for that netuid.                                                          |
| [`RequireSudo`](/docs/errors/chain/RequireSudo)                                         | The call requires the sudo key but was signed by a different account. Compare the sender against the account stored in the Sudo pallet's `Key` storage item.                                                                                                                          |
| [`StateChangeDenied`](/docs/errors/chain/StateChangeDenied)                             | The contract invoked a state-modifying host function, such as a storage write, transfer, or value-bearing call, while executing in read-only mode. Check whether the enclosing call was made with the read-only flag or from a static context.                                        |
| [`TransactionMustComeFromEOA`](/docs/errors/chain/TransactionMustComeFromEOA)           | Rejected per EIP-3607: the sender address has contract code deployed, and transactions must originate from externally owned accounts. Check `eth_getCode` for the `source` address and sign with a plain EOA key instead.                                                             |
| [`TransactorAccountShouldBeHotKey`](/docs/errors/chain/TransactorAccountShouldBeHotKey) | The extrinsic must be signed by the hotkey itself, but a different account (typically the coldkey) was the origin. Check which key signs the transaction; calls like axon serving expect the hotkey as origin.                                                                        |
| [`Unauthorized`](/docs/errors/chain/Unauthorized)                                       | In System, the code passed to `apply_authorized_upgrade` does not hash to the value in `AuthorizedUpgrade`. In LimitOrders, the caller is not the order's signer, who alone may cancel it. Check the code hash against the authorization, or the sender against the order's `signer`. |
| [`Unproxyable`](/docs/errors/chain/Unproxyable)                                         | The attempted call is not permitted by the registered proxy type's call filter. Check which `proxy_type` the sender holds in the real account's `Proxies` entry and whether that type's `InstanceFilter` allows this specific call.                                                   |

The same explanation is available in the terminal: `btcli explain not_authorized` (or `btcli explain <ChainErrorName>` for one exact chain error).
