We occasionally get `401 Unauthorized` with `error="invalid_token"` when calling the Box Content API (e.g., DELETE /2.0/files/<FILE_ID>).
This happens about ~2 times per month. Retrying the same operation later often succeeds.
We believe the access token itself is not expired at the time of the request:
- Access token was obtained at: <UTC timestamp>
- Token lifetime: 60 minutes
- Request time: <UTC timestamp> (within the lifetime)
We also believe we are not using the same token in parallel (single job / single worker).
Error response (sanitized):
401 Unauthorized
{
"request_url": "https://api.box.com/2.0/files/<FILE_ID>",
"status_code": 401,
"response_header": {
"Date": ["Sat, 24 Jan 2026 17:03:05 GMT"],
"Www-Authenticate": [
"Bearer realm=\"Service\", error=\"invalid_token\", error_description=\"The access token provided is invalid.\""
]
}
}
Questions:
1) Besides expiration, what are common causes of `invalid_token` on Box APIs?
2) Could token refresh / token rotation invalidate a previously issued access token?
3) What additional data should we log to diagnose this (e.g., Box-Request-Id, token refresh response)?