Skip to content
Latchkey

Pact Broker "401 Unauthorized" retrieving pacts in CI

The broker request reached PactFlow or your Pact Broker but carried no valid credentials. 401 means the token or basic-auth pair was missing, empty, or wrong, not that the broker is down.

What this error means

Publishing or verification fails with "Error retrieving pacts: 401 Unauthorized" or "401 Client Error" for the broker base URL, while the URL itself resolves.

Pact
Error retrieving https://acme.pactflow.io/pacts/provider/orders-provider/...
401 Unauthorized returned by the Pact Broker.
Please set PACT_BROKER_TOKEN or the basic auth credentials.

Common causes

PACT_BROKER_TOKEN is not set in the job

The secret was never exposed to the step, so the client sends an anonymous request and PactFlow returns 401.

Basic auth username or password is wrong

A self-hosted broker using basic auth got mismatched PACT_BROKER_USERNAME/PACT_BROKER_PASSWORD, so authentication fails.

How to fix it

Inject the broker token from a secret

  1. Store the PactFlow or broker token as a CI secret.
  2. Expose it as PACT_BROKER_TOKEN in the step env.
  3. Re-run so the client authenticates.
.github/workflows/ci.yml
env:
  PACT_BROKER_BASE_URL: https://acme.pactflow.io
  PACT_BROKER_TOKEN: ${{ secrets.PACT_BROKER_TOKEN }}

Use basic auth env vars for a self-hosted broker

If the broker uses basic auth rather than a token, set the username and password instead of the token.

.github/workflows/ci.yml
env:
  PACT_BROKER_USERNAME: ${{ secrets.PACT_BROKER_USERNAME }}
  PACT_BROKER_PASSWORD: ${{ secrets.PACT_BROKER_PASSWORD }}

How to prevent it

  • Keep the broker token or basic-auth pair in CI secrets, never in code.
  • Set exactly one auth mechanism (token OR basic auth) to avoid ambiguity.
  • Rotate broker credentials and update the secret in one place.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →