# Troubleshooting Unauthorized (401) Errors

This guide explains the most common causes of `401 Unauthorized` responses when calling the Rhythm APIs and how to resolve them.

## 1. Confirm the Authorization header

All Rhythm APIs require a valid OAuth 2.0 access token sent using the Bearer scheme:


```
Authorization: Bearer <access_token>
```

Ensure:

- The header name is exactly `Authorization`
- The value starts with `Bearer` (including the space)
- The token has not expired


## 2. Verify the OAuth audience configuration

A frequent cause of 401 errors is an incorrect OAuth **audience** value when requesting the access token.

For Client Credentials and most server-to-server flows, the audience must be:


```
https://api.rhythmsoftware.com
```

If the audience does not match what the API expects, the token will be rejected even if it is otherwise valid.

Getting credentials
Your `Client ID`, `Secret`, and `Auth0 domain` are available in Rhythm Console under **Security & Settings > API Keys**.

See the [Authentication](/tutorials/authentication) tutorial for a full walkthrough of each flow.

## 3. Decode the access token and validate required claims

Decode the JWT access token and confirm the following claims are present:

- `http://rhythmsoftware.com/tenant_id`
- `http://rhythmsoftware.com/customer_id`


Optional but commonly present:

- `http://rhythmsoftware.com/contact_id`


The `contact_id` claim is required for most Rolodex and Membership API calls and must be used in request paths where a contact identifier is required.

Decoding JWTs
You can inspect a JWT at [https://jwt.io](https://jwt.io) — paste the raw token into the Encoded field to view all claims.

## 4. First-time login edge case

If the user represented by the token has **never logged into the Rhythm application**, the `contact_id` claim may not yet exist. In this case:

- The token may be valid
- API calls that require a contact context will still return `401 Unauthorized`


Have the user log into the Rhythm UI at least once to ensure the contact record is created.

## 5. Validate the contact using the Rolodex API

You can confirm that the token resolves to a valid contact by calling the Rolodex endpoint:


```
GET https://rolodex.api.rhythmsoftware.com/contacts/current
```

If this call succeeds, the token is valid and the contact is correctly associated.

## 6. Confirm the correct API base URL

Different Rhythm services use different base URLs. Common examples:

- Rolodex API: `https://rolodex.api.rhythmsoftware.com/contacts`
- Membership API: `https://membership.api.rhythmsoftware.com/memberships`


Using the wrong service base URL with an otherwise valid token may result in a 401 response.

## Summary checklist

If you receive a 401 Unauthorized error, verify:

- The `Authorization: Bearer` header is present and correct
- The token has not expired
- The OAuth audience is `https://api.rhythmsoftware.com`
- The token contains `tenant_id` and `contact_id` claims
- The user has logged into the Rhythm UI at least once
- The request is sent to the correct service base URL