Skip to content
Latchkey

Apigee apigeecli 401 (token expired) in CI

apigeecli reached the Apigee management API but was rejected with 401. The Google OAuth access token it used is missing, expired, or belongs to a service account without Apigee permissions.

What this error means

apigeecli fails with "401 Unauthorized" or "Request had invalid authentication credentials. Expected OAuth 2 access token" while the org and env names are correct.

apigee
Error 401: Request had invalid authentication credentials. Expected OAuth 2 access token,
login cookie or other valid authentication credential.

Common causes

No fresh access token was provided

apigeecli ran without -t and without a valid gcloud token, so the management API got an anonymous or stale request.

The service account lacks Apigee roles

The token authenticated but the principal has no Apigee API Admin role, so management calls are rejected.

How to fix it

Pass a fresh access token

  1. Authenticate the service account and mint a current access token.
  2. Pass it to apigeecli with -t, or let the CLI read APIGEE_TOKEN.
  3. Re-run the command; the 401 should clear.
Terminal
export APIGEE_TOKEN=$(gcloud auth print-access-token)
apigeecli apis list --org "$ORG" -t "$APIGEE_TOKEN"

Grant the service account Apigee roles

For a persistent 401/403, give the deploy service account the Apigee API Admin role so management calls are authorized.

Terminal
gcloud projects add-iam-policy-binding "$PROJECT" \
  --member="serviceAccount:$SA_EMAIL" \
  --role="roles/apigee.apiAdmin"

How to prevent it

  • Mint a fresh access token in each CI run; tokens are short-lived.
  • Grant the deploy service account least-privilege Apigee roles.
  • Keep service account keys or workload identity in CI secrets.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →