Pact Broker "401 Unauthorized" retrieving pacts in CI
The broker request reached PactFlow or your Pact Broker but carried no valid credentials. 401 means the token or basic-auth pair was missing, empty, or wrong, not that the broker is down.
What this error means
Publishing or verification fails with "Error retrieving pacts: 401 Unauthorized" or "401 Client Error" for the broker base URL, while the URL itself resolves.
Error retrieving https://acme.pactflow.io/pacts/provider/orders-provider/...
401 Unauthorized returned by the Pact Broker.
Please set PACT_BROKER_TOKEN or the basic auth credentials.Common causes
PACT_BROKER_TOKEN is not set in the job
The secret was never exposed to the step, so the client sends an anonymous request and PactFlow returns 401.
Basic auth username or password is wrong
A self-hosted broker using basic auth got mismatched PACT_BROKER_USERNAME/PACT_BROKER_PASSWORD, so authentication fails.
How to fix it
Inject the broker token from a secret
- Store the PactFlow or broker token as a CI secret.
- Expose it as
PACT_BROKER_TOKENin the step env. - Re-run so the client authenticates.
env:
PACT_BROKER_BASE_URL: https://acme.pactflow.io
PACT_BROKER_TOKEN: ${{ secrets.PACT_BROKER_TOKEN }}Use basic auth env vars for a self-hosted broker
If the broker uses basic auth rather than a token, set the username and password instead of the token.
env:
PACT_BROKER_USERNAME: ${{ secrets.PACT_BROKER_USERNAME }}
PACT_BROKER_PASSWORD: ${{ secrets.PACT_BROKER_PASSWORD }}How to prevent it
- Keep the broker token or basic-auth pair in CI secrets, never in code.
- Set exactly one auth mechanism (token OR basic auth) to avoid ambiguity.
- Rotate broker credentials and update the secret in one place.