Skip to content
Latchkey

deck sync HTTP 401 (RBAC token) in CI

decK reached the Kong Admin API but was rejected with 401. Kong Enterprise RBAC is enabled and decK sent no valid Kong-Admin-Token, so the request is unauthorized.

What this error means

deck gateway sync fails with "HTTP status 401 (message: Unauthorized)" or "Invalid credentials" while the Admin URL itself is reachable.

deck
Error: failed to sync: HTTP status 401 (message: "Unauthorized")

Common causes

No RBAC token sent to the Admin API

RBAC is on but decK ran without --kong-admin-token, so the request is anonymous and rejected.

The token is wrong or lacks workspace access

A stale or workspace-scoped token cannot administer the target workspace, so Kong returns 401.

How to fix it

Pass the RBAC token from a secret

  1. Store the Kong admin token as a CI secret.
  2. Pass it to decK with --kong-admin-token or the DECK_KONG_ADMIN_TOKEN env var.
  3. Re-run sync and confirm the 401 clears.
Terminal
deck gateway sync kong.yaml \
  --kong-addr https://kong-admin.example.com \
  --kong-admin-token "$KONG_ADMIN_TOKEN"

Set the token via env in the workflow

Expose the token as an environment variable so decK picks it up without echoing it on the command line.

.github/workflows/ci.yml
env:
  DECK_KONG_ADMIN_TOKEN: ${{ secrets.KONG_ADMIN_TOKEN }}

How to prevent it

  • Keep the Kong admin token in CI secrets, never in committed config.
  • Grant the token access to the exact workspace decK targets.
  • Rotate the token on a schedule and update the secret in one place.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →