JFrog "access token expired" in CI
The access token used by CI has expired. JFrog access tokens carry an expiry, and once past it every authenticated request is rejected until a fresh token is issued.
What this error means
jf commands that worked yesterday now fail with "token expired", "invalid token", or a sudden 401 across the whole pipeline.
jf
[Error] server response: 401 Unauthorized
{
"errors": [ { "status": 401, "message": "Token expired" } ]
}Common causes
The token passed its expiry
A time-boxed access token stored as a secret reached its expiry, so Artifactory rejects it everywhere at once.
A short-lived token reused across many runs
A token minted with a brief lifetime was cached as a secret and kept in use past its window.
How to fix it
Rotate the token secret
- Generate a fresh access token in the JFrog Platform.
- Update the JF_ACCESS_TOKEN secret with the new value.
- Re-run the pipeline; the 401s clear.
Terminal
jf rt ping --url "$JF_URL" --access-token "$JF_ACCESS_TOKEN"Use OIDC for short-lived per-run tokens
Exchange a GitHub OIDC token for a fresh Artifactory token each run so nothing expires between runs.
.github/workflows/ci.yml
- uses: jfrog/setup-jfrog-cli@v4
with:
oidc-provider-name: github-actions
env:
JF_URL: ${{ vars.JF_URL }}How to prevent it
- Prefer OIDC so CI mints a fresh short-lived token each run.
- If using static tokens, choose a longer expiry and track renewal.
- Rotate the secret in one place when a token nears expiry.
Related guides
JFrog "401 Unauthorized" (JF_ACCESS_TOKEN) in CIFix JFrog "401 Unauthorized" in CI - the jf CLI reached Artifactory but sent no valid credential because JF_A…
JFrog "403 Forbidden" repository permissions in CIFix JFrog "403 Forbidden" in CI - the token authenticated but the principal lacks deploy or read permission o…
JFrog "connection refused" / wrong JF_URL in CIFix jf "connection refused" or "no such host" in CI - JF_URL points at the wrong host, port, or scheme, or om…