Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

The authentication token is incorrect if not revoked



Two REST Connect rules are configured and two Authentication Profiles are used. Both the Authentication profile rules use the Credentials based OAuth token and have different Access Endpoints. However, both the Authentication profile rules use the same Client ID for the authentication. When the REST connector is invoked from an activity, the second call fails with invalid Access token error.

Error Messages

Response 401 Unauthorized: 
Content-Type: application/json; charset=utf-8 
Transfer-Encoding: chunked 
Connection: keep-alive 
Server: SRVR/0.33-1-enterprise-edition 
WWW-Authenticate: Bearer realm="service" error="invalid_token" error_description="The access token is invalid or has expired" Exception occurred while mapping incoming response to .response_GET

Steps to Reproduce

  1. Create two REST Connect rules and refence two OAuth profile rules from each of them. Both the Auth profile rules use the Credentials based OAUTH.
  2. Use the same Client ID for authentication in both the Auth rules.
  3. Call the two REST Connectors sequentially from an activity.

Root Cause

Pega stores or retrieves access tokens from the pr_data_token table. Each token is stored as a combination of ClientID and Grant Type. 
According to the design, keys for access token is client_id+grant_type+operatorName+scope.

Since the same Client ID is used for two different AUTH rules which have the same Grant Type, only a single record is stored in the database. Thus, in successive REST calls, though different Access Token Endpoints are associated, the Access Token retrieved from the database is the same as the first.
This causes invalid access token for the second REST call, which expects a valid token that is distinct form the first token.


Perform the following local-change since the token endpoints are different:

Use a different client_id for each of them.


Published December 14, 2018 - Updated December 2, 2021

Was this useful?

0% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us