ExpiredToken
AWS ExpiredToken (Expired Token) means the provided token has expired. In Amazon S3, this error returns HTTP 400.
Last reviewed: March 23, 2026|Editorial standard: source-backed technical guidance
What Does Expired Token Mean?
Authentication fails before S3 evaluates the operation, so all reads/writes signed with that session token are blocked until fresh credentials are issued.
Common Causes
- -STS temporary credentials expired before the request reached AWS.
- -Long-running workers reuse cached tokens past credential expiration.
- -Queue/backoff delays push signed requests beyond token validity window.
- -Clock drift makes tokens appear expired earlier than expected.
How to Fix Expired Token
- 1Refresh credentials from STS/role provider and retry with new session token.
- 2Reduce time between token acquisition, request signing, and request dispatch.
- 3Synchronize system clocks and verify UTC time source health.
- 4Shorten credential cache TTLs so clients refresh before hard expiration.
Step-by-Step Diagnosis for Expired Token
- 1Capture token expiration timestamp and compare with request execution timestamp.
- 2Trace credential provider chain to verify which session token was actually used.
- 3Inspect queue latency/retry delays between token minting and API transmission.
- 4Correlate auth failures with node clock skew metrics across the fleet.
Credential Lifetime Validation
- -Inspect token issue/expiry timestamps from the active credential provider (example: worker reuses 60-minute STS session for a 2-hour batch).
- -Trace where credentials are cached and reused across processes (example: sidecar cache serves expired session token after provider refresh).
Dispatch Latency and Clock Checks
- -Measure delay between credential minting, request signing, and wire send (example: queue dwell time exceeds remaining token lifetime).
- -Audit host/container clock drift against reliable UTC source (example: node runs 7 minutes behind and treats valid tokens as expired).
How to Verify the Fix
- -Replay the same workflow and confirm ExpiredToken no longer appears.
- -Validate refreshed credentials map to expected account and principal.
- -Confirm token-expiry auth failures trend down after refresh policy changes.
How to Prevent Recurrence
- -Implement proactive token refresh with safety margin before expiry.
- -Use centralized credential providers instead of ad hoc token caching.
- -Alert on near-expiry credential usage and clock-skew anomalies.
Pro Tip
- -refresh STS sessions based on remaining lifetime threshold (for example, 15 minutes) rather than fixed wall-clock intervals to avoid fleet-wide expiry spikes.
Decision Support
Compare Guide
HTTP 400 vs 422: Bad Request vs Unprocessable Content
Fix API payload issues faster by using 400 for malformed syntax and 422 for semantic validation failures, so clients correct format before business rules.
Playbook
Auth Incident Playbook (401 / UNAUTHENTICATED)
Use this playbook to separate missing, expired, or invalid identity proof from authorization and transport failures, and apply credential-source-correct fixes safely.
Playbook
CORS Error Fix Playbook (Preflight / Origin / Credentials)
Use this playbook to separate browser-enforced cross-origin policy failures from server-side CORS header and route defects and apply strict origin and credential controls safely.
Official References
Provider Context
This guidance is specific to AWS services. Always validate implementation details against official provider documentation before deploying to production.