Unleash 401 Unauthorized (API token) in CI
The Unleash SDK sent a request to the API and got 401 Unauthorized. The server is up; the Authorization header carried no token or an invalid one. Unleash server SDKs require a client API token, not a frontend or admin token.
What this error means
Unleash logs "Unleash server responded 401 Unauthorized" or the fetch rejects with a 401. Toggles never load and evaluations return their fallback values.
[unleash] Error: Unleash server responded 401 Unauthorized. This may indicate
that the client API token is missing or invalid.Common causes
The client API token is missing in CI
No Authorization value was set, so Unleash rejects the anonymous request with 401.
A frontend or admin token was used instead of a client token
Backend SDKs need a client API token; a frontend token (for the proxy) or an admin token is rejected by the client API with 401.
How to fix it
Provide a client API token via the customHeaders
- Create a client API token in Unleash under API access.
- Store it as a CI secret and pass it as the Authorization header.
- Confirm it is a client token, not a frontend or admin token.
const unleash = initialize({
url: 'https://unleash.example.com/api/',
appName: 'ci',
customHeaders: { Authorization: process.env.UNLEASH_API_TOKEN },
});Match the token type to the endpoint
A 401 will not clear on retry. Verify the token is a client API token scoped to the project and environment your CI run targets.
How to prevent it
- Keep the Unleash client API token in CI secrets, never committed.
- Use a client token scoped to a CI project and environment.
- Do not reuse frontend or admin tokens for backend SDKs.