<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base

Okta Access Gateway: Invalid API Token Server Error When Updating an App

Last Updated:

Access Gateway
Okta Classic Engine
Okta Identity Engine

Overview

An attempt to update or save an application fails with a UI error:

 

This Event has been logged.

Server has encountered an error updating the application.

 

Server has encountered an error updating the application.

In the logs, the following error can also be seen:

 

code:E0000011, message:Invalid API Token, developerMessage:Valid API token still exists in Okta

 

ACCESS_GATEWAY WEB_CONSOLE Expecting statusCode:200 received:401 Error:{errorCode=E0000011, errorSummary=Invalid token provided, errorLink=E0000011, errorId=oaerMYj7flASCei5_aa1ER3Mw, errorCauses=[]} ACCESS_GATEWAY WEB_CONSOLE handling service exception: com.icsynergy.spgateway.service.OktaServiceException Error: com.icsynergy.spgateway.domain.SPGWError(type:SPGW_OKTA_BAD_TOKEN, status:401, code:E0000011, message:Invalid API Token, developerMessage:Valid API token still exists in Okta, errors:[ERROR:[errorCode:E0000011, errorSummary:Invalid token provided, errorLink:E0000011, errorId:oaerMYj7flASCei5_aa1ER3Mw, errorCauses:[]]], context:null) com.icsynergy.spgateway.service.OktaServiceException null at org.codehaus.groovy.vmplugin.v8.IndyInterface.fromCache(IndyInterface.java:321) at com.icsynergy.spgateway.service.subsystem.OktaService.handleResult2(OktaService.groovy:1455) at org.codehaus.groovy.vmplugin.v8.IndyInterface.fromCache(IndyInterface.java:321) at com.icsynergy.spgateway.service.subsystem.OktaService.updateGtrConfig(OktaService.groovy:1401)

Applies To

  • Okta Access Gateway (OAG)
  • Global Token Revocation (GTR)
  • Okta Classic Engine
  • Okta Identity Engine (OIE)

Cause

This will happen if the app was created under an IdP that uses the admin console URL for the Okta org URL (that is, company-admin.okta.com instead of company.okta.com).

 

There is a mention in the Configure IdP doc to not use the admin interface URL. However, this didn't prevent app creation under the IdP until OAG version 2025.3.0 when the GTR feature was added.

 

Now, OAG appends "-admin" to the IdP URL when making the API requests, specifically to set the GTR config in this case.  This results in an API request to an invalid URL (that is, company-admin-admin.okta.com), which can be seen in the oag-admin logs if debug logging is enabled.

2026-02-10T16:30:51.020-05:00 DEBUG 1130 --- [ XNIO-1 task-4] c.i.s.internal.OktaRestHttpClient : >> buildPostRequest calling url:https://myorg-prod-admin-admin.okta.com/admin/api/v1/app/myorg-prod_headerssoapptestadmin_1/instance/0oazrknr78MvIgiB2697/logout/config with content: {"systemInitiatedLogout":{"enabled":false},"globalTokenRevocation":{"subjectFormat":"EMAIL","authMethod":"SIGNED_JWT","revocationEndpoint":"https://testextraadminheader.myorg.me/oag-session/gtr"}}

If the IdP URL does not contain "-admin", the API token is likely actually invalid, possibly due to not being refreshed or the account being suspended.

Solution

Recreate the applications under an IdP with a the correct Okta Org URL.

Recommended content

Still looking for help?
Loading
Okta Support - Okta Access Gateway: Invalid API Token Server Error When Updating an App