400 Bad Request when call endpoint with expired token #10451

maria_ruiz created 22 days ago

Hello,

Following the update to ABP from version 9 to 10, we are receiving this message on a series of endpoints when the token has expired with the 400 code. { "error": { "code": null, "message": "ValidationErrorMessage", "details": "ValidationNarrativeErrorMessageTitle\r\n - The value 'Error' is not valid.\r\n", "data": {}, "validationErrors": [ { "message": "The value 'Error' is not valid.", "members": [ "id" ] } ] }

Previously, we received the code 401 "Unauthorised", which is the correct one.

Has any change been made that could be affecting this?

Thanks,

Go to accepted answer

AI-Bot created 22 days ago

Support Team ABP Agent

Nothing in ABP v10 “intentionally” changes an expired/invalid access token response from 401 to 400.
The payload you posted is an ABP validation error (it’s coming from model binding/validation, not from authentication). The key clue is:

validationErrors → member: "id" → "The value 'Error' is not valid."

That means the request is reaching the action and ASP.NET Core is trying to bind a parameter/route value named id (likely Guid/int). Instead of a valid id, the literal string "Error" is being sent.

What’s most likely happening

When the token expires, your client is no longer calling the real endpoint URL, but a URL that contains "Error" in the {id} segment (or it is sending "Error" as a query/body field named id). Common causes after upgrades are:

an HTTP client / API proxy / interceptor that on 401 rewrites or retries the request incorrectly,
a custom “refresh token” handler that, on failure, returns "Error" and that value gets used as the id for the next request,
Blazor client-side code that navigates to an error route and then reuses the current route parameter as id.

So ABP returns 400 because the request is malformed (invalid id), before/independently of auth.

Fix (server-side + client-side)

Client-side: ensure you don’t build URLs with an error string
- Find the failing calls and log the final request URL when the token is expired.
- Verify the {id} segment (or id parameter) is still a real Guid/int when you get the expired-token case.
Client-side: handle 401 properly
- When you receive 401, either:
  - refresh the token and retry, or
  - redirect to login,
  - but do not continue calling business endpoints with placeholder/error strings for route values.
Server-side verification
- Add logging (or inspect logs) to confirm the requested path when the issue occurs. You should see something like /api/.../Error/... or ?id=Error.

If after confirming the actual requested URL you still see ABP returning 400 while the request URL and route params are correct, then it would be something different—but with the error payload you posted, it’s a request validation/model-binding problem, not an auth-status-code change.

https://abp.io/docs/latest/framework/infrastructure/csrf-anti-forgery

This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

maria_ruiz created 22 days ago

I need more help

maliming created 22 days ago

Support Team Fullstack Developer

Can you share more debug/error logs?

liming.ma@volosoft.com

Thanks.

maria_ruiz created 14 days ago

I have this error:

`2026-02-27 10:39:45.982 +00:00 [INF] AuthenticationScheme: OpenIddict.Validation.AspNetCore was challenged. 2026-02-27 10:39:46.031 +00:00 [INF] The authentication demand was rejected because the token was expired. 2026-02-27 10:39:46.031 +00:00 [INF] OpenIddict.Validation.AspNetCore was not authenticated. Failure message: An error occurred while authenticating the current request. 2026-02-27 10:39:46.031 +00:00 [INF] OpenIddict.Validation.AspNetCore was not authenticated. Failure message: An error occurred while authenticating the current request. 2026-02-27 10:39:46.033 +00:00 [WRN] ---------- RemoteServiceErrorInfo ---------- { "code": null, "message": "ValidationErrorMessage", "details": "ValidationNarrativeErrorMessageTitle\r\n - The value 'Error' is not valid.\r\n", "data": {}, "validationErrors": [ { "message": "The value 'Error' is not valid.", "members": [ "id" ] } ] }

2026-02-27 10:39:46.033 +00:00 [WRN] ModelState is not valid! See ValidationErrors for details. Volo.Abp.Validation.AbpValidationException: ModelState is not valid! See ValidationErrors for details. at Volo.Abp.AspNetCore.Mvc.Validation.ModelStateValidator.Validate(ModelStateDictionary modelState) at System.Runtime.ExceptionServices.InternalCalls.

maliming created 14 days ago

Support Team Fullstack Developer

The value 'Error' is not valid.

What is your input model/class and HTTP request body?

Thanks,

maria_ruiz created 14 days ago

This endpoint is an HTTP GET, so it doesn’t have a request payload model.

Input model/class: N/A for body. Inputs are provided via query parameters (e.g., subscriptionId: Guid, maxMessages: int) and required headers (e.g., _tenant, plus Authorization: Bearer <token> if authentication is enforced). HTTP request body: None / empty (GET request — no request body is sent).

maliming created 14 days ago

Support Team Fullstack Developer

What is your endpoint action code?

It seems you have an id parameter, but you pass an Error.

id can't parse from Error

Thanks.

maria_ruiz created 14 days ago

But the same request with valid token is okey

maria_ruiz created 14 days ago

This is the endpoint action code

[Authorize] [Route("api/event-bus/[action]")] public class ArcoEventBusConsumerAppService : SmcApplicationService, IArcoEventBusConsumerAppService { [HttpGet] [ActionName("peek-messages")] public async Task<IReadOnlyList<object>> PeekMessagesAsync(Guid subscriptionId, int maxMessages) => await ExternalIntegrationEndpoint.PeekMessagesAsync(subscriptionId, maxMessages); }

maliming created 14 days ago

Support Team Fullstack Developer

Can you set a breakpoint in the PeekMessagesAsync method and see if it stops during a 400 error?

Thanks.

maria_ruiz created 14 days ago

In local work, but in the enviroment publish not work.

However, we do not know what might be causing this error, as it does not provide much information.

maliming created 14 days ago

Support Team Fullstack Developer

You can add a middleware to output more request info to logs in your production environment.

Thanks.

maria_ruiz created 11 days ago

Hello,

I think we received this error, but it must be another one.

In the audit, we see that the URL is /Error instead of saving the original, PeekMessagesAsync.

Is there any reason for it to redirect to that error page? I understand that it is the one giving the ValidationErrorMessage error.

maliming created 11 days ago

Support Team Fullstack Developer

Can you enable debug logging and share the full logs.txt file at the time of the error?

https://abp.io/support/questions/8622/How-to-enable-Debug-logs-for-troubleshoot-problems

Thanks

maria_ruiz created 10 days ago

Hello,

I found the problem.

The problem was that when the request fails, it is redirecting to the Default.cshtml page because we received the HTML in the response. Locally, this does not happen, so we were unable to replicate it.

On this default page, a png android-chrome image was loading that could not be found and was redirecting to /Error. Instead of getting a 404, we were getting a 400, which I understand was masked.

When we deleted this reference and the image, which was not being used and came by default with the ABP project, we received the correct error code (401).

maliming created 10 days ago

Support Team Fullstack Developer

Great 👍

Question details

ABP Version (vX.X.X)

Database Management System

Tiered (MVC) or Auth Server Separated (Angular)

Boost Your Development

ABP Live Training
Packages

See Trainings

The Official Guide

Mastering
ABP Framework

Learn More

Framework

Tools

Mobile

Startup Templates

UI

Modules

16 Answer(s)