Invalid access Token Error for Valid Token

Sampathkolluru · 11-18-2023 07:17 PM

Hello,

In Our Org, We started seeing a spike in Invalid access token errors. We even captured some traces to debug it. In the trace, we could see the Access token. When we tried to verify if it was valid or not, we found that the token was valid.

Even though the no of Invalid access token errors is less than 1 percent of total calls that came in, we really don't know why APIGEE is throwing invalid access token errors, even though the tokens are valid. But if there is some issue with APIGEE or the token generation Process, all the tokens must be rejected right? why few? We are really confused. Any suggestions? How do we debug this further/resolve this?

dchiesa1

I understand what you wrote.

If you've been around Apigee for a while, you understand that tokens are valid for specific things - for specific API Products. It's one thing for an Apigee-generated token to be "valid" - meaning it is a token generated by Apigee, not expired, not revoked. But it is a different thing to be "valid for the current request". (See this old but still relevant article for more information) So it is possible that a token is good, generated by Apigee, but not valid for the currently executing request. Do you know if you are seeing this case - a valid Apigee token, but used in the wrong request? Is it possible that tokens are "leaking" and someone or some system is trying to use tokens in APIs for which the tokens are not authorized?

If you're certain that the token is being used in a request for which the token SHOULD BE treated as valid, then I would suggest that you contact Apigee support to help diagnose this.