"token is expired" reading from Cloud Save in Extend Starter Dev

Hi folks,

I’ve built the Extend Starter App and got it working. I’ve been customizing the sample service extension and .proto file for my needs, and no problems so far. Last night it was working – I was also saving data to a cloud save game record, just like the GuildService sample app. Tonight I ran it again, and it doesn’t work. I get a “token is expired” error on a cloud save read call:

Error when executing service method 'ChangeRoomState'.
    AccelByte.Sdk.Core.HttpResponseException: {
        "errorCode": 20011,
        "errorMessage": "token is expired"
at AccelByte.Sdk.Api.Cloudsave.Operation.AdminGetGameRecordHandlerV1.ParseResponse[T1](HttpStatusCode code, String contentType, Stream payload)
at AccelByte.Sdk.Api.Cloudsave.Wrapper.AdminGameRecord.AdminGetGameRecordHandlerV1[T1](AdminGetGameRecordHandlerV1 input)
at AccelByte.Sdk.Api.CloudsaveAdminGameRecord_OpExts.Execute[T1](AdminGetGameRecordHandlerV1Builder builder, String key, String namespace_)

Since you can’t set permissions on IAM users right now, we were told to run with auth disabled via environment variable:


Also, I created this IAM user about a month ago so maybe it’s been 30 days, and something expired? Am I missing some proper step or is this a “doesn’t work right now” situation and I just need to recreate the IAM ID and Secret?


Hi @chrislambertus ,

Could you try using unmodified C# Service Extension sample app with existing client id and secret and see whether it is working or not? If this works then could you inform us any AGS endpoints you are using in your service extension app?

Thank you.

I got latest on the sample (extend-service-extension-csharp) and it took me a bit to get it working again. I’ve done it, run the sample, tested with Postman, and it succeeds. No errors.

So did something change with Starter Extend auth? Is there some step I’m missing? Is there a change to the sample I need to bring over to my own code?

I just double-checked and I’m doing the same Cloud Save operations as the sample, hitting _ABProvider.Sdk.Cloudsave.AdminGameRecord.AdminPostGameRecordHandlerV1Op.

Diffing the folders, I noticed that this line was removed from README.md:

:exclamation: For AGS Starter customers, you don’t need to add the permissions. All confidential IAM clients already contain the necessary permissions.

Does that mean existing users have to go back and add the permissions now?

Apparently you can’t, there’s no Permissions section still…

And regardless, the same AB Client and Secret worked with the sample. :man_shrugging:

So… guess what. It’s magically working now. I have zero ideas.

I have one theory: it seemed like after I shut down the Docker container and ran docker-compose up --build again, it worked.

@chrislambertus Is there any chance you cache your token in your Service Extension app?

I don’t believe so. I don’t think I’m sending any token – I’ve got PLUGIN_GRPC_SERVER_AUTH_ENABLED=false set in my environment variables.

Hi @chrislambertus ,

We have a fix today. Could you please update from latest master or v2024.03.01 release and see whether the fix works for you?

Thank you.

1 Like

Great! I was just looking into the workarounds you listed. I’ll get latest and try again, thanks!