We’re getting 401 Unauthorized errors when our billing system tries to access Cumulocity’s REST API using OAuth2. The OAuth2 scopes seem incorrectly configured - we’re not sure which scopes are required for billing operations. Token validation is failing intermittently, and we suspect the API gateway is rejecting our tokens even though they appear valid.
GET /tenant/tenants/{tenantId}/usage
Authorization: Bearer {token}
Response: 401 Unauthorized
Error: "Invalid token scope"
Our tokens are generated correctly according to OAuth2 spec, but something’s wrong with either the scopes or how the gateway validates them. Any insights?
Check your OAuth2 application’s permission model. In c8y-1019, there’s a distinction between application-level permissions and user-level permissions. Your OAuth2 app needs explicit billing permissions granted at the application level, not just the user who authenticated. This is a common misconfiguration.
The API gateway has rate limiting that can cause intermittent 401s if you’re hitting limits. It’s not always a clear rate limit error - sometimes manifests as auth failures. Check if your request volume correlates with the failures. Implement exponential backoff and monitor rate limit headers in responses.
Good point about token expiration. We’re not refreshing tokens proactively. But even with fresh tokens (generated 2 minutes ago), we still get intermittent failures. Could this be a gateway caching issue?