kb/auth_401_403.md

# Auth 401/403

## Symptoms
- API returns 401/403 for valid requests
- `Invalid token`, `permission denied`, or `signature mismatch` in logs
- Clock skew errors in authentication service

## Checks
- Validate access token expiration and issuer
- Confirm user/service account scopes/roles
- Check client/server clock skew (NTP)
- Review recent secret/credential rotations
- Inspect identity provider availability and rate limits

## Fix
- Refresh/rotate tokens or credentials
- Grant correct roles/scopes to caller
- Align clocks and retry
- Apply retry/backoff if IDP is throttling