Got a 401 Unauthorized error during a terraform apply run on our Genesys Cloud provider configuration. The weird part is the token refresh logic in the provider code seems fine, but the subsequent API call to GET /api/v2/users/me fails immediately after the refresh.
Here is the flow:
- Initial token expires.
- Provider hits POST /oauth/token with client credentials.
- Gets back a new access_token with an expiry in 30 minutes.
- Immediately tries GET /api/v2/users/me with the new token.
- Server responds with 401: “Invalid token signature.”
We are running the Terraform state server in us-east-1, and the Genesys Cloud org is in us-east-1 as well. I checked the system time on the EC2 instance running the Terraform process, and it’s synced via NTP. The skew is less than 50ms.
Here is the relevant snippet from the provider debug logs:
[DEBUG] Received token response:
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
"token_type": "bearer",
"expires_in": 1800,
"scope": "admin:queue:read user:read"
}
[DEBUG] Making request to /api/v2/users/me
[ERROR] Response status: 401 Unauthorized
[ERROR] Body: {"error":"invalid_grant","error_description":"Token signature validation failed"}
I’m using the official genesys-cloud/terraform-provider-genesyscloud version 1.12.0. I’ve tried disabling the retry logic to see if it’s a race condition, but the 401 is instant. Is there a known issue with clock skew tolerance on the Genesys OAuth server side? Or maybe the Terraform provider is caching the old token’s expiry time incorrectly?
Also, checking the JWT header, the issuer is api.us.genesys.cloud. Not sure if that matters for the signature validation. Anyone else hit this wall with the client credentials flow in Terraform?