Thanks for your response!
Not upgraded from 3.0, but it does have secret config.
I guessed the token was not passed through the request. I just guess because cannot see verbose log, but probably for this reason.
I set a Nginx reverse proxy, is it affected by this?