# 51007: Client Connection: Token authentication is rejected

Log Type: APPLICATION

Log Level: ERROR

## Description

This error occurs when your SDK client tries to connect with an Access Token that Twilio cannot authenticate. Access Tokens are short-lived JWTs that you generate on your server for Twilio client-side SDKs. They must be signed correctly and include the required `identity` and product-specific grants for the SDK you are using.

### Possible causes

* The Access Token has expired or is not yet valid because the `exp` or `nbf` claim is outside the allowed time window. Access Tokens are short-lived and can be configured for up to 24 hours.
* The token was modified after it was generated, or it was signed with the wrong API Key Secret, which prevents Twilio from validating the JWT signature.
* The `grants` claim is missing, malformed, or does not include the product-specific grant required for the SDK connection you are attempting.
* The token is missing required fields inside the grant. For example, Conversations requires a `ChatGrant` with a Conversation Service SID, Sync requires a `SyncGrant` with `serviceSid`, and Voice requires a `VoiceGrant` with `outgoingApplicationSid`.
* The token does not include the required `identity` grant used to associate the token with a specific user.
* If you are connecting to Video, the token was created with an API Key outside the US1 region, or it does not include a `VideoGrant`.

### Possible solutions

* Generate a new Access Token on your server and send a fresh token to the client instead of reusing an expired or cached token. Use a Twilio server-side helper library to build the token and grants.
* Decode the token before you send it to the client and verify that `identity`, `grants`, `exp`, and `nbf` are present and correct.
* Make sure the grant matches the SDK you are initializing. Use `ChatGrant` for Conversations, `SyncGrant` for Sync, `VoiceGrant` for Voice, and `VideoGrant` for Video.
* Confirm that required grant fields are set correctly. Provide the Conversation Service SID in `ChatGrant`, the Sync Service SID in `SyncGrant`, and a valid TwiML App SID in `VoiceGrant.outgoingApplicationSid`.
* If you are connecting to Video, create the token with an API Key in the US1 region and include a `VideoGrant`.

#### Additional resources

* [Access Tokens](/docs/iam/access-tokens)
* [User Identity & Access Tokens for Programmable Video](/docs/video/tutorials/user-identity-access-tokens)
* [Issuing Sync Tokens](/docs/sync/identity-and-access-tokens)