We’re experiencing persistent 401 Unauthorized errors when attempting to post journal entries to our SBOM management service via REST API. The integration was working fine in our single-tenant test environment, but fails in our multi-tenant production setup.
The OAuth2 token is being generated successfully, but validation fails at the API gateway level. We’ve verified the token contains the required scopes (sbom:write, journal:create), but the gateway rejects it immediately.
POST /api/v1/sbom/journal HTTP/1.1
Authorization: Bearer eyJhbGc...
Content-Type: application/json
Response: 401 Unauthorized
{"error": "invalid_token", "description": "Token validation failed"}
This is blocking our financial data synchronization across regional instances. Has anyone dealt with OAuth2 scope configuration or multi-tenant token validation issues in SAP PLM 2020? We need to understand the proper API gateway setup for multi-tenant environments.
Thanks for the suggestions. I checked our token endpoint and we ARE using the single-tenant endpoint. That’s likely part of the problem. However, I’m also concerned about the scope configuration. When I decode our JWT token, I see the scopes are there but they’re not prefixed with the tenant ID. Should they be formatted as tenant123.sbom:write instead of just sbom:write? Also, our API gateway logs show “scope validation passed” but then “tenant context missing” - which suggests the gateway itself might need additional configuration beyond just the token format.
I worked through this exact scenario last quarter. The issue spans multiple layers. Your OAuth2 client registration needs to specify grant_type=client_credentials with tenant_context=true parameter. This ensures tokens include tenant metadata. Beyond that, verify your SBOM service itself is configured to accept multi-tenant requests - there’s a service-level tenant validation that happens AFTER gateway validation.
Check your API gateway routing rules. In multi-tenant setups, the gateway needs to extract tenant context from either the token or request headers before forwarding to the SBOM service. We had a similar issue where the gateway was configured for single-tenant validation rules. You need to enable tenant-aware token validation in the gateway configuration. Look at the gateway’s security policy settings - there should be a multi-tenant validation module that needs to be activated.