164 questions
Azure DevOps PAT Token API returned 401 but OK for Work items
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 15%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESA%3C/text%3E%3C/svg%3E)
Shek Albert
0
Reputation points
I created the PAT with the following Scopes:
But for Token, I tried to list all the PATs and 401 returned
I would like to know if there is any extra permission or role control on the Organization will cause such problem?
Any help would be greatly appreciated.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 40%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBH%3C/text%3E%3C/svg%3E)
Bodapati Harish 320 Reputation points Microsoft External Staff2025-03-31T13:38:32.3133333+00:00 Hello @Shek Albert ,
The issue is happening because the PAT does not have the necessary permissions to access the Tokens API. While the PAT works fine for Work Items, accessing the Tokens API requires higher-level permissions that are only available to Azure DevOps Organization Administrators.
By default,
PATsonly allow a user to manage their own tokens but do not grant access to list all PATs in an organization unless the user is an Organization Administrator or has the required role.- Go to Azure DevOps and navigate to Organization Settings
- Select Permissions and look for your user account
- Ensure that your account is part of the Project Collection Administrators or Azure DevOps Administrators group
- Open Azure DevOps and go to Personal Access Tokens (PATs) → Manage Tokens
- Check if your token has the "Token Administration (Read & Manage)" and "Manage User Permissions" scopes
- If these scopes are missing, generate a new PAT with the required permissions
- If your current PAT does not have sufficient permissions, ask an Organization Administrator to generate a PAT with the correct scopes
- Only users with Organization-level admin access can successfully use the Tokens API
- Ensure that the API request is using the correct organization name and version
GET https://vssps.dev.azure.com/{organization}/_apis/Tokens/Pats?api-version=7.1-preview.1 - Replace
{organization}with your actual Azure DevOps organization name - Some sensitive APIs in Azure DevOps require OAuth authentication instead of PATs
- If the PAT still doesn’t work after adjusting permissions, consider using OAuth authentication through Azure AD
- If the issue persists, check your user role in Azure DevOps and confirm that the PAT includes all necessary permissions.
Hope this helps.
If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.
-
Bodapati Harish 320 Reputation points Microsoft External Staff
2025-04-02T03:47:08.4433333+00:00 Hello @Shek Albert,
Following up to see if you have chance to check the previous response and help us with requested information to check and assist you further on this.
-
Bodapati Harish 320 Reputation points Microsoft External Staff
2025-04-03T03:52:01.3266667+00:00 Hello @Shek Albert,
We haven’t heard from you on the last response and was just checking back to see could you please provide more details on your requirement so that I can assist you further.
-
Shek Albert 0 Reputation points
2025-04-03T07:36:01.6833333+00:00 Thanks for you help! It does give me insight on this problem.
Actually, I would like to renew my own PAT before its expiry date. Is there any other API that use to manage my own PAT?
As my account is Not a part of the Project Collection Administrators or Azure DevOps Administrators group, may it affect my action to renew?
-
Bodapati Harish 320 Reputation points Microsoft External Staff
2025-04-03T12:29:39.2366667+00:00 Hello @Shek Albert,
Yes, you can renew your own PAT before it expires, even if you're not an Azure DevOps Administrator, as long as you have the right permissions. The API you can use for this is:
PATCH https://vssps.dev.azure.com/{organization}/_apis/Tokens/Pats?api-version=7.1-preview.1However, you need the PAT ID to renew it, and retrieving your PAT ID requires admin-level permissions. Since you're not in the Project Collection Administrators group, you might not be able to list your existing tokens through the API.
A simpler way to renew your PAT is through the Azure DevOps UI:
- Go to User Settings → Personal Access Tokens
- Find your PAT and click Edit
- Extend the expiration date and save
If you really need to do this via API, you may need an administrator to grant you the "Token Administration (Read & Manage)" scope.
I hope this helps!
Let me know if you need any further clarification, and I’ll be happy to assist you.
-
Bodapati Harish 320 Reputation points Microsoft External Staff
2025-04-04T03:29:56.96+00:00 Hello @Shek Albert,
Following up to see if you have chance to check the previous response and help us with requested information to check and assist you further on this.
-
Bodapati Harish 320 Reputation points Microsoft External Staff
2025-04-07T04:16:38.7366667+00:00 Hello @Shek Albert,
We haven’t heard from you on the last response and was just checking back to see could you please provide more details on your requirement so that I can assist you further.
-
Shek Albert 0 Reputation points
2025-04-08T14:15:29.9533333+00:00 Thanks for your help!
I added the Token Admin scope and tested your suggested API as follow:
And other than above API, is there any other API I can update my own PAT?
-
Bodapati Harish 320 Reputation points Microsoft External Staff
2025-04-09T04:20:31.39+00:00 Hello @Shek Albert,
Thanks for the update. There’s no separate public API to renew your own PAT. The API you tried is designed for organization admins to manage PATs across users.
Even with the Token Admin scope, if you're not part of the Project Collection Administrators group, you'll hit a 401 Unauthorized as elevated org-level permissions are required.
The only supported way to renew your own PAT is through the Azure DevOps UI under User Settings > Personal Access Tokens.
Let me know if you need any further clarification, and I’ll be happy to assist you.
-
Bodapati Harish 320 Reputation points Microsoft External Staff
2025-04-10T03:56:54.35+00:00 Hello @Shek Albert,
Following up to see if you have chance to check the previous response and help us with requested information to check and assist you further on this.
-
Bodapati Harish 320 Reputation points Microsoft External Staff
2025-04-11T03:19:12.62+00:00 Hello @Shek Albert,
We haven’t heard from you on the last response and was just checking back to see could you please provide more details on your requirement so that I can assist you further.
Sign in to comment
Sign in to answer