Sporadic 401 errors getting a constituent or titles, or posting a constituent

Dev Lunsford

Hi, we have an iOS app that is used to register new members using the Constituent API. We're getting occasional 401 errors, either when grabbing a list of Titles at

constituent/v1/titles

or posting a constituent at

constituent/v1/constituents

or other constituent work like getting aliases or searching for a constituent by ID.


Occasionally we'll get reports from the field that something doesn't work correctly in the app, the Titles won't populate the dropdown, or the constituent search fails, etc. The error we get in a lot of these cases is a 401. Sometimes it seems like there might be network issues or other things going on, but I've never seen any evidence that a 401 can be caused by network issues. So for the 401s specifically - is this our refresh token expiring before we have allowed for that? I'm not the developer, we have an external agency, I'm just trying to help troubleshoot things. I've not got any good way of knowing when our token is being refreshed in each case. Also - if the same user account is logged in to 2 devices, will that mess with the refresh token between devices at all?


Happy to provide more detail if that helps - didn't want to go overboard with detail in the first instance. Thanks to anyone who has any insight!

Dev

Michael Tims

Hi Dev Lunsford‍, typically the 401 error with, "The required Authorization header was missing or invalid, or the token has expired" message is normal and just means the access token has expired and will need to be refreshed. I don't believe that particular error is due to an expired refresh token or the refresh token being invalid. The SKY API authorization docs goes into some detail on how to respond to the "401 Not Authorized" error by refreshing the token.


Although less likely since the app is making successful requests, the 401 error could also mean that the token supplied in the Authorization header is invalid due to being malformed. It's worth checking on that also just to make sure nothings going wrong sometimes when populating the header.


Also with each refresh, a new refresh token will be returned as described in the SKY API auth common issues documentation. That does mean that if you use a refresh token to refresh an access token that you'll need to store the new refresh token to refresh the subsequent access token, and so on... If you've burned the refresh token once (say the user logged into one device refreshes) and then try to use the same refresh token again (same user on a separate device) then you may receive a different error (invalid_grant).


Hope that helps!

Ben Lambert

Another thing to evaluate is whether you're having a race condition where multiple requests happen in parallel to refresh an expired token. We introduced the preserve_refresh_token option described here to help with that type of scenario:
https://developer.blackbaud.com/skyapi/docs/authorization/auth-code-flow/tutorial#refresh-access-token

Dev Lunsford

Thanks Michael & Ben, this is useful. I'm going to pass this on to our developer in case it can help shed any light on what's happening.


Can a header get accidentally malformed by bad network conditions, or is that not really possible?


Presumably this could mean that the 401s we see in the error logging (Sentry.io) may in some circumstances literally just be the notification that the token needs to be refreshed now - and at that point the app would ideally nip over and refresh the token and then retry the last operation? It's possible this is already what it does, in which case 401's not a problem - it's just that we are also getting reports of odd behaviour at times and it looked like this might be a cause. It's quite possible that's something else. In any case, this should help us with what to look at next. Thanks again!

Dev