REST API 401 — invalid_token / Expired Access Token
The error HTTP 401 Unauthorized {"error":"invalid_token","error_description":"The access token is invalid or has expired"}
What it means
The bearer token the client presented is no longer valid — most commonly it expired (Workday access tokens are short-lived) and the client kept using it instead of refreshing. It can also mean the token was issued for a different tenant or the API client registration changed.
Troubleshooting
- Decode the token's issue/expiry times and compare with the request time — most failures are simple expiry.
- Verify the token endpoint and tenant in the client config match the resource URL being called (IMPL tokens don't work on PROD).
- Check the API client in Workday (View API Clients): is it enabled, and does its scope cover the endpoint?
- If using a refresh token, confirm it hasn't been rotated or revoked by a re-registration.
⚡ Quick fix
Request a fresh access token from the token endpoint and retry the call.
✓ Permanent fix
Implement proactive token refresh (refresh before expiry, retry-once-on-401 as backstop) in the client, and alert on repeated 401s so credential rotations and client re-registrations are caught immediately.