> ## Documentation Index
> Fetch the complete documentation index at: https://docs.heydollr.app/llms.txt
> Use this file to discover all available pages before exploring further.

# 401 — Invalid Credentials

> Fix missing, malformed, or expired Dollr API Bearer tokens.

You received **401 Unauthorized** with a message like `Could not validate credentials` or `Not authenticated`.

## The problem

The Dollr API did not accept the `Authorization` header on your request. Common causes:

* No `Authorization: Bearer <token>` header
* Token expired (`expires_in` is in **minutes**)
* Typo in the token string or extra whitespace
* Using test credentials against live endpoints (or vice versa)

## How to identify

1. Confirm the failing request includes `Authorization: Bearer ...`
2. Check when you last called `POST /v1/jwt/client/obtain/token`
3. Compare `expires_in` from that response with the current time

## Solution

<Steps>
  <Step title="Obtain a fresh token">
    ```bash theme={null}
    curl -X POST "https://api.heydollr.app/v1/jwt/client/obtain/token" \
      -H "Content-Type: application/json" \
      -d '{"client_id": "YOUR_CLIENT_ID", "client_secret": "YOUR_CLIENT_SECRET"}'
    ```

    See [Authentication](/authentication) and [API Reference](/api-reference/jwt/client-obtain-token).
  </Step>

  <Step title="Refresh proactively">
    Request a new token when fewer than **5 minutes** remain — do not wait for the first 401 in production traffic.
  </Step>

  <Step title="Retry the original request once">
    Replace the header and retry. If it still fails, verify Client ID/secret in the [merchant portal](https://merchant.heydollr.app).
  </Step>
</Steps>

## Still having issues?

* Rotate API keys if the secret may have leaked
* Email [dev@heydollr.app](mailto:dev@heydollr.app) with timestamp (UTC) and redacted headers

## Related

* [Error handling](/guides/error-handling)
* [Forbidden 403](/knowledge-base/forbidden-403-unverified)