Nx Cloud 401 Unauthorized in CI
A 401 from Nx Cloud means the request authenticated with a token, but Nx Cloud rejected it. The connection works; the credential is wrong, revoked, or does not belong to this workspace.
What this error means
Nx Cloud calls fail with a 401 Unauthorized response, and remote caching or distributed execution is disabled for the run.
Nx Cloud
NX Nx Cloud responded with 401 Unauthorized.
The provided access token is invalid.Common causes
The token is invalid or revoked
A rotated, deleted, or mistyped NX_CLOUD_ACCESS_TOKEN authenticates as an unknown principal and is rejected with 401.
The token belongs to another workspace
A token generated for a different Nx Cloud workspace does not match this one, so the request is unauthorized.
How to fix it
Rotate and re-set the token
- Generate a fresh access token for this exact workspace in Nx Cloud.
- Update the
NX_CLOUD_ACCESS_TOKENsecret with the new value. - Re-run and confirm the 401 clears.
.github/workflows/ci.yml
env:
NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}Confirm the token matches the workspace
A 401 will not clear on retry. Verify the token was issued for the same workspace the nx.json cloud config points to.
How to prevent it
- Issue tokens per workspace and label them clearly.
- Rotate tokens on a schedule and update the secret immediately.
- Treat a persistent 401 as a credential problem, not a transient one.
Related guides
Nx Cloud "unable to connect" / missing NX_CLOUD_ACCESS_TOKEN in CIFix Nx Cloud "unable to connect" in CI - the runner has no NX_CLOUD_ACCESS_TOKEN, so distributed caching and…
Turborepo remote cache 403 / bad TURBO_TOKEN in CIFix Turborepo remote cache 403 in CI - turbo reached the cache but the TURBO_TOKEN or TURBO_TEAM was rejected…
Nx "Cannot read cache" / cache miss in CIFix Nx "Cannot read cache" and unexpected cache misses in CI - the local cache is not restored between jobs o…