Skip to content
Latchkey

Grafana API "401 Unauthorized" in CI

A call to the Grafana HTTP API returned 401, meaning Grafana did not accept the bearer token: it is missing, malformed, revoked, or a legacy API key that has been disabled. The endpoint is reachable; the credential is the problem.

What this error means

A curl or provisioning step against the Grafana API fails with HTTP 401 and a JSON body like {"message":"Unauthorized"} or {"message":"invalid API key"}.

Grafana
< HTTP/2 401
{"message":"Unauthorized"}

Common causes

No or wrong Authorization header

The token env var is empty or the header is malformed, so Grafana sees an unauthenticated request and returns 401.

A revoked or expired service account token

The service account token was rotated or the legacy API key was disabled, so the credential no longer authenticates.

How to fix it

Send a valid service account token

  1. Create a service account token in Grafana with the needed role.
  2. Store it as a CI secret and pass it as a bearer token.
  3. Re-run the request.
Terminal
curl -fsS -H "Authorization: Bearer $GRAFANA_TOKEN" \
  "$GRAFANA_URL/api/dashboards/home"

Rotate and re-store an expired token

If the token was revoked or expired, generate a new service account token and update the secret.

How to prevent it

  • Use service account tokens rather than disabled legacy API keys.
  • Store tokens in CI secrets and reference them by env var.
  • Rotate tokens on a schedule and update the secret in one place.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →