Logins Receiving "Invalid Token" Message

Update timeline

1. investigating Jan 07, 2026, 06:32 PM UTC

   We are getting a large number of reports of users receiving "Invalid token" error messages when attempting to log in. We are investigating the issue.

2. identified Jan 07, 2026, 07:26 PM UTC

   The issue has been identified and we are working on a fix.

3. identified Jan 07, 2026, 07:39 PM UTC

   While we continue to work on a fix, the "Invalid token" login issue can be resolved on a user-by-user basis by clearing cookies and cache in the browser. Instructions on how to do so can be found at https://intercom.help/rhumbix-helpcenter/en/articles/6369184-quick-start-guide-clearing-browser-history

4. resolved Jan 08, 2026, 12:46 AM UTC

   This incident was resolved at 5:10pm ET. We have monitoring the issue and all "Invalid token" errors have been cleared.

5. postmortem Jan 08, 2026, 05:02 PM UTC

   ## **Executive Summary** Two separate authentication-related issues occurred: 1. A partial SSO login disruption caused by an update to an authentication library 2. A separate issue that resulted in “Invalid token” errors for a limited number of users This release was part of our normal deployment cycle and included routine infrastructure and library updates. Based on the information available at the time, there was no indication that these changes posed any greater risk than a standard release. These issues had a related root cause, but were separate and affected different user groups. Both have been fully resolved, and preventive improvements have been implemented. ## **Incident 1: Partial SSO Login Disruption** ### **Impact** * **Affected users:** Some customers using SSO * **Symptoms:** Unable to authenticate via SSO, preventing user login * **Duration:** Approximately 2–3 hours * **Data impact:** None ### **Timeline \(CT\)** * **06:24** – Reports received of SSO login failures * **07:12** – Root cause identified * **10:32** – SSO issue resolved ### **Root Cause** A routine release included an update to an authentication library that enforced stricter validation of the Issuer URI used in SSO configurations and which invalidated existing tokens. While Rhumbix documentation has long reflected the recommended Issuer URI format, some customers were configured using an older format that was still accepted by the previous library. The updated library no longer supported this legacy format. Once affected configurations were updated to the recommended format, SSO access was restored. ### **Corrective & Preventive Actions** * Verified all supported SSO configurations against current library requirements * Updated affected tenant configurations * Confirmed normal SSO behavior across customers * Adding additional validation for authentication-related library updates prior to release ## **Incident 2: Token-Based Authentication “Invalid Token” Errors** ### **Impact** * **Affected users:** A limited subset of non-SSO users * **Symptoms:** “Invalid token” errors during login * **Duration:** Intermittent issues throughout the day * **Scope:** Smaller user population than SSO * **Data impact:** None ### **Timeline \(CT\)** * **11:26** – Reports received of “Invalid token” errors * **11:39** – Root cause identified * **14:30** – Temporary user-level mitigation identified * **17:10** – Issue fully resolved ### **Root Cause** A similar authentication change resulted in the invalidation of certain cached or expired authentication tokens. This surfaced edge cases related to token lifecycle handling that were not previously observable. This issue was independent of SSO and did not affect SSO authentication flows. ### **Corrective & Preventive Actions** * Resolved token validation logic causing erroneous rejections * Cleared invalid tokens and confirmed successful re-authentication * Increased monitoring around token validation errors * Expanding automated testing for token lifecycle scenarios \(expired, revoked, deleted\)