Troubleshooting security errors
Security-related errors are always indicated by HTTP 401 and 403 errors. The following sections outline some steps you can take to confirm the exact cause of these types of errors.
401 Errors
A 401 error could be due to a lack of, or invalid, identification being provided in the request. It will come with one of the following error codes, which indicates what identification was expected in the request:
| Error code | Description |
|---|---|
| InvalidConnectApiToken | Invalid connectApiToken |
| InvalidTenantToken | Invalid vista-tenant header (Veezi only) |
| InvalidLoyaltyToken | Invalid loyaltySessionToken |
Sample 401 error response:
{
"errorCode": "InvalidLoyaltyToken",
"errors": [
{
"description": "loyaltySessionToken is invalid."
}
]
}
You can use the Identity Endpoint to confirm that the Connect API token provided to Connect is valid.
If HMAC is enabled in your environment, a 401 error indicates that valid HMAC parameters weren't provided in the request.
403 Errors
A 403 error could be due to a valid but expired Loyalty Session token being provided in the request, and is
accompanied by an errorCode of "ExpiredLoyaltyToken".
A 403 error could also be due to incorrect or insufficient permissions set up for a client associated with a Connect API token. To troubleshoot this kind of error, we recommend contacting your Connect administrator first to check that the token you are supplying has access to the endpoint you are making a request to. If the client has permissions for the endpoint, the functionality requested is most likely restricted by a security behaviour. Confirm with your Connect administrator that your client has any appropriate security behaviours enabled.
Trace logging
To help with troubleshooting security-related errors, Connect provides trace logging for security-related errors that gives detailed information on the cause of an issue. Either ask your Connect administrator to increase the logging level of Connect, or add the Trace Logging Token to your request.