Skip to content
Latchkey

Pact Broker "401 Unauthorized" / could not publish pacts in CI

The pact publish step reached the Pact Broker (or PactFlow) but was rejected with 401. The broker is up; the request carried no valid credentials or token, so the pacts were not published.

What this error means

Publishing fails with "Error publishing ... 401 Unauthorized" or "could not be published", naming the broker URL, while the broker itself responds.

Pact
Publishing 'web-consumer-user-api' pact to https://myorg.pactflow.io ...
Error: could not publish pact - 401 Unauthorized

Common causes

No broker token was provided to CI

The publish command has no bearer token or basic-auth credentials, or the secret was not exposed to the step, so the broker returns 401.

An expired or wrong token

A rotated or mistyped token authenticates as nobody, and the broker rejects the publish.

How to fix it

Provide the broker token from a secret

  1. Store the broker or PactFlow token as a CI secret.
  2. Pass it to the publish command via the token option or env var.
  3. Re-run so the authenticated publish succeeds.
.github/workflows/ci.yml
pact-broker publish ./pacts \
  --broker-base-url https://myorg.pactflow.io \
  --broker-token ${{ secrets.PACT_BROKER_TOKEN }} \
  --consumer-app-version ${{ github.sha }}

Rotate and update an expired token

A persistent 401 will not clear on retry. Issue a fresh token in the broker and update the CI secret.

How to prevent it

  • Keep the broker token in CI secrets, never in the repo.
  • Set the consumer app version from the commit SHA for traceability.
  • Rotate tokens on a schedule and update the secret in one place.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →