Question
Citi
US
Last activity: 6 Aug 2025 9:24 EDT
401 Unauthorized Error
Hi,
I have a GET api that is part of a component and works in PEGA but when I try to test in Postman/SoapUI I get an 401 Unauthorized error.
I have set the service package authentication type to OAuth2, created a Oauth2 client registration, and configured a token profile. The service package and client registration have the same access group.
I am able to generate a JWT in Pega using an activity and I have tested the token in jwt.io which confirms it's a valid token.
I also saw a post that recommended adding Sysadm4 role to the access group, but my group already has that role.
My team's application uses SSO and LDAP which I think may be causing the issue.
Does anyone have any tips/advice? Thank you
I used this guide: https://support.pega.com/discussion/create-oauth-20-access-token-call-pega-api?
ai4process ltd
GB
It sounds like your OAuth2 setup is mostly correct, but the 401 error from Postman/SoapUI suggests the token isn’t being accepted by Pega’s service endpoint. Here are a few things to check
- As long as the Component where this API is being invoked is part of the application stack of the Access Gorup you referred in your service package,
- Share the Postman configuration of how the auth is configured in Postman
Alternatively, you can create a Connect REST in Pega for the end point URL from service REST API from teh component and create an Auth profile to test using your Pega system.
Citi
US
Hi Ravi, thank you for your response!
I checked and the component is part of the application stack of the access group.
I add my generated JWT token in the authorization tab in postman (picture included).
Do you have any helpful guides/links on how to configure a connect REST? Thank you
ai4process ltd
GB
To configure a Connect REST in pega,
- get the service end point URL of the API from the Service REST rule.
- Use Pega's OOTB Connect REST Wizard . Configure--> Integration --> Connectors --> Connect REST Integration
- Provide your end point URL and authentication details in the wizard and complete the all the steps in the wizard. adn it should give you a Connect REST which you can use to Trace.
If you are still seeing a 401 unauthorised error from this wizard or Connect REST, then there is some issue in the configuration of the OAuth 2.0 Client registration
if your API works as expected without any Auth errors, then there is an issue with your POSTMAN configuration.
Either way this should give you a direction to proceed forward.
Citi
US
@RaviChandrathank you let me try that!
HCA Healthcare
US
@DaniV17021618 Here's what's likely happening: Your OAuth2 setup is correct on the Pega side, but you're getting a 401 Unauthorized in Postman or SoapUI due to SSO/LDAP interfering with token authentication. Since you're using JWT OAuth tokens, LDAP/SSO shouldn't directly affect the API calls, but sometimes the authentication layers conflict, especially if the REST API endpoint isn't clearly set up to bypass the SSO layer.
Here's the thing:
-
Double-check the header in Postman/SoapUI use
Authorization: Bearer <token>explicitly. -
Verify the OAuth client registration in Pega matches the JWT issuer (
iss) and audience (aud) claims exactly. Small mismatches trigger authorization issues. -
Confirm your JWT token expiration and system clock alignment; mismatched timestamps can invalidate otherwise good tokens.
-
Check your Service REST rule in Pega under the Service Package: make sure "Requires authentication" is properly configured to OAuth2 (and not Basic or other authentication methods).
-
Temporarily disable or bypass SSO/LDAP for API endpoints, or explicitly allow JWT-based OAuth tokens through your web server or SSO setup.
-
If everything still looks good, enable debug-level security logs in Pega (
SecurityOAuth2) to pinpoint exactly where authentication fails.
@DaniV17021618 Here's what's likely happening: Your OAuth2 setup is correct on the Pega side, but you're getting a 401 Unauthorized in Postman or SoapUI due to SSO/LDAP interfering with token authentication. Since you're using JWT OAuth tokens, LDAP/SSO shouldn't directly affect the API calls, but sometimes the authentication layers conflict, especially if the REST API endpoint isn't clearly set up to bypass the SSO layer.
Here's the thing:
-
Double-check the header in Postman/SoapUI use
Authorization: Bearer <token>explicitly. -
Verify the OAuth client registration in Pega matches the JWT issuer (
iss) and audience (aud) claims exactly. Small mismatches trigger authorization issues. -
Confirm your JWT token expiration and system clock alignment; mismatched timestamps can invalidate otherwise good tokens.
-
Check your Service REST rule in Pega under the Service Package: make sure "Requires authentication" is properly configured to OAuth2 (and not Basic or other authentication methods).
-
Temporarily disable or bypass SSO/LDAP for API endpoints, or explicitly allow JWT-based OAuth tokens through your web server or SSO setup.
-
If everything still looks good, enable debug-level security logs in Pega (
SecurityOAuth2) to pinpoint exactly where authentication fails.
Bottom line: the issue likely isn't your OAuth2 configuration itself it's the interplay between JWT/OAuth and your existing SSO or LDAP setup. Adjusting these configurations or explicitly bypassing SSO for your REST API endpoint usually solves the problem.