When you use the Threads API to post, read messages, or manage your account, you may see an HTTP 401 Unauthorized error. This error means your access token is missing, invalid, or expired. The Threads API uses short-lived access tokens that expire after one hour. This article explains why the 401 error happens and gives you the exact steps to refresh your token using a long-lived user access token or the OAuth 2.0 refresh flow.
Key Takeaways: Refresh Threads API Token to Fix 401 Error
- GET /refresh_access_token endpoint: Converts a short-lived token into a 60-day long-lived token with a single POST request.
- Graph API Explorer > Get Token: Quick way to generate a fresh short-lived token for testing and debugging.
- OAuth 2.0 redirect URI: Required parameter when exchanging an authorization code for an access token; must match the URI registered in your app.
Why the Threads API Returns HTTP 401 Unauthorized
The Threads API uses OAuth 2.0 for authentication. Every API request must include a valid access token in the HTTP Authorization header. If the token is expired, malformed, or belongs to a different user, the server responds with HTTP 401 Unauthorized and a JSON error body like {"error":{"message":"Invalid OAuth 2.0 Access Token","type":"OAuthException","code":102}}.
The most common cause is token expiration. The Threads API issues short-lived access tokens that expire 60 minutes after creation. If your application stores the token without refreshing it, you will get a 401 error on any request made after the expiry time. Another cause is using a token that was generated for a different Instagram account or Facebook app. Each token is scoped to a specific user and app pair.
A less common but possible cause is a revoked token. If the user changes their password, deauthorizes your app, or removes the Threads permission from their Instagram account, Meta invalidates all existing tokens immediately. In this case, you must re-authenticate the user.
Steps to Refresh a Threads API Access Token
You have two options to fix a 401 error: generate a new long-lived token or exchange the current short-lived token for a long-lived one. The refresh flow works only with a valid short-lived token that has not been revoked. The long-lived token lasts 60 days. After that, you must refresh it again.
Option 1: Exchange Short-Lived Token for Long-Lived Token
- Get your current short-lived access token
If you do not have a token yet, use the Graph API Explorer or the OAuth authorization flow to get one. The short-lived token expires in 60 minutes. - Send a POST request to the refresh endpoint
Make an HTTP POST request to this URL:https://graph.threads.net/refresh_access_token?grant_type=th_refresh_token&access_token=YOUR_SHORT_LIVED_TOKEN
ReplaceYOUR_SHORT_LIVED_TOKENwith the actual token string. - Parse the response
The API returns a JSON object with these fields:{"access_token":"NEW_LONG_LIVED_TOKEN","token_type":"bearer","expires_in":5175360}
Theaccess_tokenvalue is your new long-lived token.expires_inis the number of seconds until expiry, typically 60 days or 5,175,360 seconds. - Store the new token securely
Save the long-lived token in a secure database or environment variable. Do not store it in client-side code or logs. - Use the new token in all subsequent API calls
Include the token in the HTTP header:Authorization: Bearer NEW_LONG_LIVED_TOKEN. Replace the old token in your code.
Option 2: Generate a Fresh Token via OAuth Authorization Flow
If the current token is revoked or you cannot refresh it, you must re-authenticate the user. This flow requires a web browser redirect.
- Build the authorization URL
Construct this URL in your application:https://www.threads.net/oauth/authorize?client_id=YOUR_APP_ID&redirect_uri=YOUR_REDIRECT_URI&scope=threads_basic,threads_content_publish&response_type=code
ReplaceYOUR_APP_IDandYOUR_REDIRECT_URIwith your app details. Thescopeparameter must include at leastthreads_basic. - Redirect the user to the URL
Open the URL in a browser or web view. The user logs in to Threads and approves the requested permissions. - Capture the authorization code from the redirect
After approval, Threads redirects to your redirect URI with acodequery parameter:https://yourapp.com/callback?code=AUTH_CODE. Extract the code value. - Exchange the code for an access token
Send a POST request to:https://graph.threads.net/oauth/access_token?client_id=YOUR_APP_ID&redirect_uri=YOUR_REDIRECT_URI&client_secret=YOUR_APP_SECRET&code=AUTH_CODE
The response contains a short-lived access token. - Convert the short-lived token to a long-lived token
Use Option 1 steps 2 through 5 to exchange the short-lived token for a 60-day token.
If the Token Refresh Still Fails
Even after following the refresh steps, you may still see a 401 error. The cause is usually a configuration mistake or a revoked token.
Threads API Returns 401 After Refreshing the Token
If the refresh request itself returns HTTP 401, your short-lived token is invalid or expired. Generate a fresh token using Option 2. Also check that the grant_type parameter is set to th_refresh_token exactly. A typo in the parameter name causes the API to reject the request.
Threads API Returns 401 When the Token Is Correct
The token may be correct but scoped to a different user or app. Verify that the user_id in the token matches the user you are acting on behalf of. Also confirm that your app ID and app secret in the request match the app that created the token. If you changed your app secret, all existing tokens become invalid.
Threads API Returns 401 on Every Request After 60 Days
Long-lived tokens expire after 60 days. You must refresh them before they expire. Schedule a refresh at least one day before the 60-day mark. Use the same refresh_access_token endpoint with the current long-lived token to get a new long-lived token. Meta does not send a warning before expiry.
Threads API Token Types Compared
| Item | Short-Lived Token | Long-Lived Token |
|---|---|---|
| Lifespan | 60 minutes | 60 days |
| How to obtain | OAuth authorization code exchange | POST to /refresh_access_token with a short-lived token |
| Can be refreshed | Yes, once per token to get a long-lived token | Yes, before expiry to get a new long-lived token |
| Revocable | Yes, by user password change or app deauthorization | Yes, same as short-lived |
| Use case | Testing, debugging, or one-time operations | Production apps that make periodic API calls |
You now know how to fix HTTP 401 Unauthorized errors on the Threads API by refreshing your access token. Use the refresh_access_token endpoint to convert short-lived tokens to 60-day long-lived tokens. For production apps, schedule automatic token refreshes before the 60-day expiry. Store tokens securely and never expose them in client-side code. As a next step, test your refresh logic with a single user before rolling it out to all users.