# 20106: Invalid Access Token grants

Log Type: TWILIO

Log Level: ERROR

## Description

Twilio accepted the Access Token's signature and issuer, but rejected the token because the `grants` claim was invalid, could not be parsed, or did not permit the requested operation.

### Possible causes

* The token's `grants` claim did not include the product-specific grant required for the SDK or API being used (for example, Video requires a mandatory `video` grant).
* The `grants` object was malformed or used unrecognized fields, so Twilio could not parse it.
* A required field inside a product grant was missing or incorrect (for example, `SyncGrant` requires a `serviceSid`).
* A token generated for one product type was attempted in a different context (for example, a Verify Push Access Token used with client-side SDKs), which is not supported.

### Possible solutions

* Regenerate the Access Token server-side and ensure the `grants` claim includes at least one correct, product-specific grant for the capability you need; use Twilio server-side SDK helpers to construct grants and tokens.
* For Video, include a `VideoGrant`; to limit access to a single Room, set the `room` value within that grant (for example, using `AccessToken.VideoGrant`).
* For Sync, include a `SyncGrant` and provide the required `serviceSid`.
* If you're using Verify Push, create a product-specific Access Token using the Verify Access Token resource instead of reusing tokens from other products.

#### Additional resources

* [Access Tokens](/docs/iam/access-tokens)
* [User Identity & Access Tokens for Programmable Video](/docs/video/tutorials/user-identity-access-tokens)
* [Issuing Sync Tokens](/docs/sync/identity-and-access-tokens)