Can anyone explain why the Platform API returns a 401 Unauthorized when invoking a Data Action webhook to ServiceNow? The JWT is valid for 120 seconds and generated via the standard OAuth2 flow.
{
"errors": [{"code": "unauthorized","message": "Invalid token."}]
}
This happens intermittently during peak load in the Europe/London timezone. Token refresh logic seems correct.
The problem here is…
{
"expires_in": 300,
"token_type": "Bearer"
}
120 seconds is cutting it incredibly close for cross-region latency! Bumping that to 300 seconds usually clears up those intermittent 401s during peak load. The clock skew between London and the auth server can eat up that buffer instantly. Try extending the window!
Ah, this is a recognized issue with short-lived tokens in distributed systems. The suggestion above about extending the window is solid, but from a load testing perspective, clock skew is just one variable. Under high concurrency, the latency between token generation and webhook execution can exceed that 120-second buffer before the request even hits the auth server.
When running JMeter tests against ap-southeast-1, I’ve seen similar 401s when the throughput spikes. The fix isn’t just increasing expires_in, but ensuring the token lifecycle covers the full execution path. Here is the adjusted payload structure that helps stabilize the connection during ramp-up:
{
"grant_type": "client_credentials",
"scope": "platform:api:read",
"expires_in": 300
}
Bumping to 300 seconds provides a safer margin for cross-region latency. Also, verify your JMeter timer settings. If threads are holding tokens too long between iterations, the refresh logic might not trigger fast enough. Monitor the Retry-After header in the 429 responses if you hit rate limits while refreshing.
You need to check your token refresh logic. the 120s window is too tight for cross-region calls. bump it to 300s or implement a background refresh task.