Skip to content
Last updated

Troubleshooting Unauthorized (401) Errors

This guide explains the most common causes of 401 Unauthorized responses when calling the Rhythm APIs and how to resolve them.

1. Confirm the Authorization header

All Rhythm APIs require a valid OAuth 2.0 access token sent using the Bearer scheme:

Authorization: Bearer <access_token>

Ensure:

  • The header name is exactly Authorization
  • The value starts with Bearer (including the space)
  • The token has not expired

2. Verify the OAuth audience configuration

A frequent cause of 401 errors is an incorrect OAuth audience value when requesting the access token.

For Client Credentials and most server-to-server flows, the audience must be:

https://api.rhythmsoftware.com

If the audience does not match what the API expects, the token will be rejected even if it is otherwise valid.

Getting credentials

Your Client ID, Secret, and Auth0 domain are available in Rhythm Console under Security & Settings > API Keys.

See the Authentication tutorial for a full walkthrough of each flow.

3. Decode the access token and validate required claims

Decode the JWT access token and confirm the following claims are present:

  • http://rhythmsoftware.com/tenant_id
  • http://rhythmsoftware.com/customer_id

Optional but commonly present:

  • http://rhythmsoftware.com/contact_id

The contact_id claim is required for most Rolodex and Membership API calls and must be used in request paths where a contact identifier is required.

Decoding JWTs

You can inspect a JWT at https://jwt.io — paste the raw token into the Encoded field to view all claims.

4. First-time login edge case

If the user represented by the token has never logged into the Rhythm application, the contact_id claim may not yet exist. In this case:

  • The token may be valid
  • API calls that require a contact context will still return 401 Unauthorized

Have the user log into the Rhythm UI at least once to ensure the contact record is created.

5. Validate the contact using the Rolodex API

You can confirm that the token resolves to a valid contact by calling the Rolodex endpoint:

GET https://rolodex.api.rhythmsoftware.com/contacts/current

If this call succeeds, the token is valid and the contact is correctly associated.

6. Confirm the correct API base URL

Different Rhythm services use different base URLs. Common examples:

  • Rolodex API: https://rolodex.api.rhythmsoftware.com/contacts
  • Membership API: https://membership.api.rhythmsoftware.com/memberships

Using the wrong service base URL with an otherwise valid token may result in a 401 response.

Summary checklist

If you receive a 401 Unauthorized error, verify:

  • The Authorization: Bearer header is present and correct
  • The token has not expired
  • The OAuth audience is https://api.rhythmsoftware.com
  • The token contains tenant_id and contact_id claims
  • The user has logged into the Rhythm UI at least once
  • The request is sent to the correct service base URL

Authentication