Kafka Error DELEGATION_TOKEN_EXPIRED
Error code 66 · Non-retriable Security
Delegation Token is expired.
Common Causes
- Token's `maxTimestamp` (max life time) has elapsed and the broker has marked it as expired
- Token was not renewed before its `expiryTimestamp` — renewal extends expiry up to `maxTimestamp`, but was missed
- `delegation.token.max.lifetime.ms` on the broker is set too short for the client's usage pattern
Solutions
- If within max lifetime, renew the token: `kafka-delegation-tokens.sh --bootstrap-server localhost:9092 --renew --renew-time-period 86400000 --hmac <hmac>`
- Create a new token with a longer max lifetime (`--max-life-time-period`) and implement automatic renewal in the client before expiry
- Increase `delegation.token.max.lifetime.ms` and `delegation.token.expiry.time.ms` in `server.properties` to match operational requirements
Diagnostic Commands
# Check token expiry timestamps
kafka-delegation-tokens.sh --bootstrap-server localhost:9092 --describe | grep -E 'expiryTimestamp|maxTimestamp|tokenId'
# Check host clock sync and NTP status
date -u && grep 'TokenExpired\|delegation.token.expiry' /path/to/kafka/logs/server.log | tail -10Related APIs
This error can be returned by: ExpireDelegationToken · RenewDelegationToken
Debugging Kafka errors? Conduktor Console gives you real-time visibility into your cluster. Explore all errors in the Error Decoder.