Why is my API returning an invalid token?

If your API uses a token validation interceptor and returns a 401 Unauthorized status code, it indicates that the provided token is invalid. This may occur for one of the following reasons:

  • It is incorrect, expired, or revoked

  • It does not grant access to this resource or API

The token validation interceptors are: OAuth, Access Token Validation, JWT Validation, Client ID Validation, CSRF Validation, Time Token Validation, and Digital Signature.

When providing credentials (such as an access token) in these interceptors, ensure that the value is used exactly as generated, without any leading or trailing spaces or line breaks. Any alteration to the original format may affect credential processing.

The response of the API call tells us which element carries the invalid token.

  • In the case of being the access_token (expired, revoked, incorrect, without access to the resource, not provided) the message will be:

    • Access Token in the request, identified by HEADER access_token, is invalid. Check docs.sensedia.com

  • In the case of being the client_id (expired, revoked, incorrect, without access to the resource, not provided) the message will be:

    • Client Id in the request, identified by HEADER client_id, is invalid. Check docs.sensedia.com

  • For interceptors where the name of the element that contains the key (header, cookie, queryParam) is defined by the user, the message will be:

    • %s in the request, identified by HEADER %s, is invalid. Check docs.sensedia.com

In the General trace logs, we can find a more detailed breakdown of the error, indicating whether the token is incorrect, expired, revoked or does not have access to the resource.

  • If the token is incorrect, expired, or revoked, the trace will show the following log:

    • Access token in HEADER access_token HAS NOT BEEN FOUND (causes: is invalid, expired, or revoked); rejecting call

  • If the token does not have access to the resource, the trace will show the following log:

    • Access token in HEADER access_token DOES NOT HAVE ACCESS TO THIS RESOURCE; rejecting call

Thanks for your feedback!
EDIT

Share your suggestions with us!
Click here and then [+ Submit idea]