Our public OAuth app (client_id: 7eb2e247-bd24-4ed4-a44d-0e178afdd474, revision 2025-01-15):
Step 1: We call POST https://a.klaviyo.com/oauth/token with grant_type=refresh_token. HTTP 200, response includes a fresh access_token (JWT, 536 chars, starts with eyJhbGci...).
Step 2: Immediately we call POST https://a.klaviyo.com/api/templates/ with Authorization: Bearer <that token>. HTTP 401:
{"id":"cf051438-0f8c-44ef-80b5-e65f24d9f0a6","status":401,"code":"authentication_failed","title":"Incorrect authentication credentials.","detail":"Incorrect authentication credentials.","source":{"pointer":"/data/"}}
Same flow worked for over a year. Started failing after the May 5–6, 2026 service disruption. Affecting multiple users.
Earlier sample error id from another user: 709e5dff-fbcc-4573-9388-3c8169a6aba9 (2026-05-07 09:23:11 UTC).
Did the OAuth token format change to JWT recently? Is there a key/audience mismatch between /oauth/token and the API gateway after the May incident?
