What causes TransactionalIdAuthorizationException?

Producer principal lacks ACL for TRANSACTIONAL_ID:WRITE on the transactional.id value used in the producer config ACL was defined with a prefix pattern that does not match the actual transactional.id (e.g., ACL on 'txn-' prefix but producer uses 'transaction-' prefix) Transactional.id changed after deployment (e.g., templated with hostname) but ACLs were defined for the old static name

How do I fix TransactionalIdAuthorizationException?

Grant the required ACL: kafka-acls.sh --bootstrap-server localhost:9092 --add --allow-principal User: --operation Write --transactional-id Use a prefix ACL if transactional IDs follow a naming convention: kafka-acls.sh --bootstrap-server localhost:9092 --add --allow-principal User: --operation Write --transactional-id --resource-pattern-type prefixed Standardize transactional.id naming in your deployment config to make ACL management predictable; avoid dynamic suffixes

Is TransactionalIdAuthorizationException retriable?

No — TransactionalIdAuthorizationException is not retriable. Retrying the same call will not help; the underlying cause must be fixed first.

Kafka Exception `TransactionalIdAuthorizationException`

org.apache.kafka.common.errors.TransactionalIdAuthorizationException

Non-retriable Security

TransactionalIdAuthorizationException is a Kafka exception (org.apache.kafka.common.errors.TransactionalIdAuthorizationException).

Common Causes

Producer principal lacks ACL for TRANSACTIONAL_ID:WRITE on the transactional.id value used in the producer config
ACL was defined with a prefix pattern that does not match the actual transactional.id (e.g., ACL on 'txn-' prefix but producer uses 'transaction-' prefix)
Transactional.id changed after deployment (e.g., templated with hostname) but ACLs were defined for the old static name

Solutions

Grant the required ACL: kafka-acls.sh --bootstrap-server localhost:9092 --add --allow-principal User:<name> --operation Write --transactional-id <txn-id>
Use a prefix ACL if transactional IDs follow a naming convention: kafka-acls.sh --bootstrap-server localhost:9092 --add --allow-principal User:<name> --operation Write --transactional-id <prefix> --resource-pattern-type prefixed
Standardize transactional.id naming in your deployment config to make ACL management predictable; avoid dynamic suffixes

Example Stack Trace

org.apache.kafka.common.errors.TransactionalIdAuthorizationException: Transactional Id authorization failed.

Diagnostic Commands

# List ACLs for the resource
kafka-acls.sh --bootstrap-server localhost:9092 --list --transactional-id <txn-id>

# Look for authorization failures in logs
grep 'TRANSACTIONAL_ID_AUTHORIZATION_FAILED\|Transactional id authorization' /var/log/kafka/server.log | tail -20

Protocol error: TRANSACTIONAL_ID_AUTHORIZATION_FAILED (code 53)

Hitting TransactionalIdAuthorizationException in production? Conduktor Console gives you real-time visibility into clients, consumer groups, and broker health. Browse every Kafka exception or protocol error code.

Kafka Exception TransactionalIdAuthorizationException

Common Causes

Solutions

Example Stack Trace

Diagnostic Commands

Related

Kafka Exception `TransactionalIdAuthorizationException`