Native to Web SSO Fails with "'subject_token' is invalid." or "The 'interclient_token' has an invalid issuer."
Apr 21, 2026
Okta Identity Engine
API Access Management
Overview
Native to Web SSO Login fails with one of the following errors:
- 'subject_token' is invalid.
- The 'interclient_token' has an invalid issuer.
Applies To
- Okta Identity Engine (OIE)
- OpenID Connect (OIDC)
- Native To Web Single Sign-On (SSO)
Cause
The same Authorization Server was not used for each step in the login process.
These errors will occur if the same Authorization Server is not used for all three steps of the Native to Web SSO login process, as documented here: Configure Native to Web SSO
Solution
Native to Web SSO Login can use either a Custom or the Org Authorization Server.
It is required that the same Authorization Server be used for each of the three login steps:
- Initial login
- Embedded IDX
- Direct Auth
- Resource Owner Password
- Redirect Authorize
- Token Exchange
- Web Authorize Call
Using a different Authorization Server during the Token Exchange step will return the error 'subject_token' is invalid.
Using a different Authorization Server during the Web Authorize step will return the error The 'interclient_token' has an invalid issuer.
