Kafka Error DELEGATION_TOKEN_AUTHORIZATION_FAILED
Error code 65 · Non-retriable Security
Delegation Token authorization failed.
Common Causes
- The token owner or requester lacks the required delegation-token ACLs on the owner `User` resource (for example `DescribeTokens` when describing tokens)
- Token HMAC is corrupted or was generated with a different `delegation.token.master.key` than what the broker currently has
- Token principal does not have the required ACLs on the topics/groups it is trying to access
Solutions
- Grant the required token-management ACL on the owner `User` resource, for example: `kafka-acls.sh --bootstrap-server localhost:9092 --add --allow-principal User:<user> --operation DescribeTokens --user-principal User:<token-owner>`
- Verify all brokers share the same `delegation.token.master.key`; rotate it consistently if it was changed without coordination
- Re-create the token and ensure the owner has the appropriate topic/group ACLs before distributing the new token
Diagnostic Commands
# List ACLs for the owner principal
kafka-acls.sh --bootstrap-server localhost:9092 --list --user-principal User:<token-owner>
# Look for authorization failures in logs
grep 'DELEGATION_TOKEN_AUTHORIZATION\|DelegationTokenAuthorizationException' /path/to/kafka/logs/server.log | tail -20Related APIs
This error can be returned by: CreateDelegationToken
Debugging Kafka errors? Conduktor Console gives you real-time visibility into your cluster. Explore all errors in the Error Decoder.