Grafana API "401 Unauthorized" in CI
A call to the Grafana HTTP API returned 401, meaning Grafana did not accept the bearer token: it is missing, malformed, revoked, or a legacy API key that has been disabled. The endpoint is reachable; the credential is the problem.
What this error means
A curl or provisioning step against the Grafana API fails with HTTP 401 and a JSON body like {"message":"Unauthorized"} or {"message":"invalid API key"}.
< HTTP/2 401
{"message":"Unauthorized"}Common causes
No or wrong Authorization header
The token env var is empty or the header is malformed, so Grafana sees an unauthenticated request and returns 401.
A revoked or expired service account token
The service account token was rotated or the legacy API key was disabled, so the credential no longer authenticates.
How to fix it
Send a valid service account token
- Create a service account token in Grafana with the needed role.
- Store it as a CI secret and pass it as a bearer token.
- Re-run the request.
curl -fsS -H "Authorization: Bearer $GRAFANA_TOKEN" \
"$GRAFANA_URL/api/dashboards/home"Rotate and re-store an expired token
If the token was revoked or expired, generate a new service account token and update the secret.
How to prevent it
- Use service account tokens rather than disabled legacy API keys.
- Store tokens in CI secrets and reference them by env var.
- Rotate tokens on a schedule and update the secret in one place.