This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
Alerting
Questions about alerting and problem detection in Dynatrace.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Dynatrace integration using expired jwt token

monique_vanwall
Organizer

‎19 Jan 2026 03:49 PM

after migration to SAAS , integration on alerts is failing regularly with expired token.  

I got confirmation of support "To remain efficient and avoid unnecessary calls to Entra ID, Dynatrace caches the JWS token. It continues to use the cached token until the destination returns a 401 Unauthorized."

Advice : 

  1. Increase the token lifetime  -> Less failures.
  2. Edit the anomaly settings for the API-GW service to ignore 401 errors.

both of the options are not realistic : Increasing the token lifetime will not be allowed by security AND will only decrease but will keep on occurring (but less frequent)
Anomaly settings on API-GW to ignore 401 errors, would give a false view, as there might be other causes for the 401's wich we would be missing.

Anyone having same experience ?  Any idea how to solve ?  And why does DT not test on expiration before (re-)using the token ?  

 

0 Kudos
Reply
1 REPLY 1

t_pawlak
Champion

‎21 Jan 2026 01:52 PM

Hi,
i will try answer 😉

Entra ID access tokens are short-lived and can vary (often ~60–90 minutes by design).
https://office365itpros.com/2023/05/29/azure-ad-access-token-lifetime/

I think you can try one of this options:
First option is create proxy/webhook receiver. 

Dynatrace → your proxy endpoint

Proxy handles Entra auth, refreshes proactively (e.g., refresh when <5 minutes left), then calls API-GW.
No security exceptions, no “ignore 401”, full control (retries, logging, idempotency).

Second option is Use Dynatrace Workflows instead of the legacy notification integration. 

Workflows allow:

HTTP Request with Credential Vault, and for advanced auth:

Run JavaScript to fetch a fresh Entra token “just-in-time” and send the request.
https://docs.dynatrace.com/docs/analyze-explore-automate/workflows/default-workflow-actions/http-req...

 

Why doesn’t Dynatrace check the token expiry before reuse?

  • tokens aren’t always safely/consistently parseable/usable as a “trustworthy expiry source” across providers,
  • standard integration pattern: use cached bearer → refresh on 401 
0 Kudos
Reply
Ask a question

Featured Posts