# 20160: Invalid Token

Log Type: TWILIO

Log Level: ERROR

## Description

This error occurs when the token presented to the Twilio API is not a valid `JWT`. Twilio Access Tokens are `JWT`s used by client SDKs and must follow the JSON Web Token structure and constraints documented by Twilio.

### Possible causes

* The token is not a properly formed `JWT` (Twilio Access Tokens are composed of three parts: `header`, `payload`, and `signature`).
* The `JWT` `header` is not set as required (for example, `typ` must be `"JWT"`, `alg` must be `"HS256"`, and `cty` must be `"twilio-fpa;v=1"`).
* The token was generated or signed without the correct API Key SID/Secret for the account (the `iss` identifies the API Key and the `signature` is created using the API Key Secret).
* A Restricted API Key was used to create an Access Token for client-side SDKs (not supported).

### Possible solutions

* Re-generate the Access Token on your server using Twilio SDKs and the correct credentials (Account SID, API Key SID, and API Key Secret).
* Ensure the token's `header` fields meet Twilio's requirements and the `alg` is `HS256`.
* Verify the token lifetime: Access Tokens have a maximum age of 24 hours and should be created with the shortest feasible `ttl`.
* Use a Main or Standard API Key when creating Access Tokens; do not use a Restricted API Key.

#### Additional resources

* [Access Tokens](/docs/iam/access-tokens)
* [20156: Expired or Invalid Expiration in Token](/docs/api/errors/20156)
* [20159: Invalid Signature](/docs/api/errors/20159)