Headless API doesn't return a 401 after token expiration


  • When I make a headless API call after the OAuth token has expired, I expect the call to return with a 401 status code.
  • However, Liferay returns other status codes after OAuth token expiry. For example, when I make a GET request to retrieve a collection after my OAuth token has expired, an empty collection is returned with 200 success code.


  • DXP 7.4


  • Not returning 401 status codes is an intentional measure to prevent the discovery of resources.
  • For example, returning an empty collection with 200 success code to an unauthorized GET request prevents a third party from differentiating between a lack of authorization and the collection being empty. 

Additional Information

  • We are currently exploring a feature to allow servers to answer API requests after OAuth token expiry with a 401 status code. You can follow this feature's progress or vote on it for visibility at LPS-159598.
¿Fue útil este artículo?
Usuarios a los que les pareció útil: 0 de 0