Share via

Receiving HTTP 401 “invalid token” errors when calling the REST API.

Ahmad Firdaus 0 Reputation points
2025-03-24T10:08:16.5966667+00:00

My application is failing to establish a API connection to Azure Web PubSub. The service responds with a 401 (Unauthorized) error. I have verified my connection string and credentials in the Azure Portal, but the issue persists.I'm used third party tool like Postman to test the API and the response is still 401 (Unauthorized) error with the description Bearer error="invalid_token".

I'm using the code below written in PHP to generate the SAS token.

<?php

function generateSASToken($endpoint, $hub, $key, $expirySeconds = 3600, $apiVersion = "2024-12-01") {
// Build the resource URI exactly as required.

$resourceUri = "$endpoint/api/hubs/$hub"; 

// URL-encode the resource URI (preserving case; do not force lowercase)

$encodedResourceUri = urlencode($resourceUri);

// Set expiry time

$expiry = time() + $expirySeconds;

// The string-to-sign must be exactly: <encoded-resource-uri>\n<expiry>

$stringToSign = "$encodedResourceUri\n$expiry";



// Compute the HMAC-SHA256 signature using the primary key (which is base64-encoded)

$signature = base64_encode(hash_hmac('sha256', $stringToSign, base64_decode($key), true));



// Build the SAS token

$sasToken = "SharedAccessSignature sr=$encodedResourceUri&sig=" . urlencode($signature) . "&se=$expiry";

return $sasToken;
}

$endpoint = <Hostname of web PubSub>; 

$hub = <Name in Hub Settings>; 

$primaryKey = <Primary Key>;  // Copy exactly from Azure Portal

$sasToken = generateSASToken($endpoint, $hub, $primaryKey);

echo "Generated SAS Token:\n$sasToken\n";

?>
Azure Web PubSub
Azure Web PubSub
An Azure service that provides real-time messaging for web applications using WebSockets and the publish-subscribe pattern.
97 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alekhya Vaddepally 1,670 Reputation points Microsoft External Staff Moderator
    2025-03-24T16:33:50.4466667+00:00

    Hi Ahmad Firdaus
    This error suggests that the Stored Access Signature token is somehow invalid and, in most cases, is due to an incorrect endpoint. Shared Access Signature token is typically invalid due to the issue related to incorrect endpoint.

    The azure portal communicatins endpoint for the azure service bus namespace must be correctly provided to the generateSASToken() function. The endpoint values given to the generateSASToken() function are correct and match the given values in the Azure Portal.

    The urlencode() method might not be preserving case. Check if all character cases, slashes, and special characters that need to be encoded have been appropriately taken care of.

    The string used for signing the resource id must be in exact format as required by Azure Web PubSub. The resource URI for signing must have the specific format as defined by Azure Web PubSub.

    Make sure that the Api version defined in the Api URL is the same version you are using when making the request. Verify that the Api version specified in the API URL is the same as the one you are using in your request.

    Make sure that the primary Key being used is accurately copied from the Azure Portal as well as appropriately base64 decoded from being sent to hash_hmac. Primary key should be copied as it is shown in the Azure Portal then after base64 decoding it should be passed to hash_hmac function for processing.

    https://www.php.net/manual/en/function.hash-hmac.php

    If the answer is helpful, please click Accept Answer and kindly upvote it so that other people who faces similar issue may get benefitted from it.

    Let me know if you have any further Queries.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.