https://community.dynatrace.com/t5/Alerting/Dynatrace-integration-using-expired-jwt-token/m-p/293287#M6159 <P>after migration to SAAS , integration on alerts is failing regularly with expired token.&nbsp;&nbsp;<BR /><BR />I got confirmation of support "<SPAN>To remain efficient and avoid unnecessary calls to Entra ID, Dynatrace caches the JWS token.&nbsp;It continues to use the cached token until the destination returns a&nbsp;401 Unauthorized."<BR /><BR /><FONT color="#000000">Advice :&nbsp;<BR /></FONT></SPAN></P><OL><LI>Increase the token lifetime&nbsp; -&gt; Less failures.</LI><LI>Edit the anomaly settings for the API-GW service to ignore 401 errors.</LI></OL><P>both of the options are not realistic : Increasing the token lifetime will not be allowed by security AND will only decrease but will keep on occurring (but less frequent)<BR />Anomaly settings on API-GW to ignore 401 errors, would give a false view, as there might be other causes for the 401's wich we would be missing.<BR /><BR />Anyone having same experience ?&nbsp; Any idea how to solve ?&nbsp; And why does DT not test on expiration before (re-)using the token ?&nbsp;&nbsp;<BR /><BR /></P><P>&nbsp;</P> Mon, 19 Jan 2026 15:49:20 GMT monique_vanwall 2026-01-19T15:49:20Z https://community.dynatrace.com/t5/Alerting/Dynatrace-integration-using-expired-jwt-token/m-p/293287#M6159 <P>after migration to SAAS , integration on alerts is failing regularly with expired token.&nbsp;&nbsp;<BR /><BR />I got confirmation of support "<SPAN>To remain efficient and avoid unnecessary calls to Entra ID, Dynatrace caches the JWS token.&nbsp;It continues to use the cached token until the destination returns a&nbsp;401 Unauthorized."<BR /><BR /><FONT color="#000000">Advice :&nbsp;<BR /></FONT></SPAN></P><OL><LI>Increase the token lifetime&nbsp; -&gt; Less failures.</LI><LI>Edit the anomaly settings for the API-GW service to ignore 401 errors.</LI></OL><P>both of the options are not realistic : Increasing the token lifetime will not be allowed by security AND will only decrease but will keep on occurring (but less frequent)<BR />Anomaly settings on API-GW to ignore 401 errors, would give a false view, as there might be other causes for the 401's wich we would be missing.<BR /><BR />Anyone having same experience ?&nbsp; Any idea how to solve ?&nbsp; And why does DT not test on expiration before (re-)using the token ?&nbsp;&nbsp;<BR /><BR /></P><P>&nbsp;</P> Mon, 19 Jan 2026 15:49:20 GMT https://community.dynatrace.com/t5/Alerting/Dynatrace-integration-using-expired-jwt-token/m-p/293287#M6159 monique_vanwall 2026-01-19T15:49:20Z https://community.dynatrace.com/t5/Alerting/Dynatrace-integration-using-expired-jwt-token/m-p/293390#M6164 <P>Hi,<BR />i will try answer <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P>Entra ID access tokens are short-lived and can vary (often ~60–90 minutes by design).<BR /><A href="https://office365itpros.com/2023/05/29/azure-ad-access-token-lifetime/" target="_blank">https://office365itpros.com/2023/05/29/azure-ad-access-token-lifetime/</A><BR /><BR />I think you can try one of this options:<BR />First option is create&nbsp;proxy/webhook receiver.&nbsp;</P><P>Dynatrace → your proxy endpoint</P><P>Proxy handles Entra auth, refreshes proactively (e.g., refresh when &lt;5 minutes left), then calls API-GW.<BR />No security exceptions, no “ignore 401”, full control (retries, logging, idempotency).<BR /><BR />Second option is&nbsp;Use Dynatrace Workflows instead of the legacy notification integration.&nbsp;</P><P>Workflows allow:</P><P>HTTP Request with Credential Vault, and for advanced auth:</P><P>Run JavaScript to fetch a fresh Entra token “just-in-time” and send the request.<BR /><A href="https://docs.dynatrace.com/docs/analyze-explore-automate/workflows/default-workflow-actions/http-request-workflow-action" target="_blank">https://docs.dynatrace.com/docs/analyze-explore-automate/workflows/default-workflow-actions/http-request-workflow-action</A></P><P>&nbsp;</P><P>Why doesn’t Dynatrace check the token expiry before reuse?</P><UL><LI>tokens aren’t always safely/consistently parseable/usable as a “trustworthy expiry source” across providers,</LI><LI>standard integration pattern: use cached bearer → refresh on 401&nbsp;</LI></UL> Wed, 21 Jan 2026 13:52:54 GMT https://community.dynatrace.com/t5/Alerting/Dynatrace-integration-using-expired-jwt-token/m-p/293390#M6164 t_pawlak 2026-01-21T13:52:54Z