401 on /userinfo

Ok many topics with the same issue but I haven’t found a solution yet. Even though my access token is valid, I still get a 401 on the userinfo endpoint. What is the problem? I do not have anything in the system logs.

    $access_token = 'new_valid_token_I_have_after_login'
    $userinfo_endpoint = 'https://dev-85960002.okta.com/oauth2/v1/userinfo'
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $userinfo_endpoint);
    curl_setopt($ch, CURLOPT_HTTPHEADER, array(
        "Authorization: Bearer ". $access_token,
        "Accept: application/json",

    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_HEADER, 1);
    curl_setopt($ch, CURLOPT_NOBODY, 1);
    $output = curl_exec($ch);


    [status] => HTTP/1.1 401 Unauthorized
    [Date] => Thu, 17 Jun 2021 16:45:57 GMT
    [Connection] => keep-alive
    [Server] => nginx
    [Public-Key-Pins-Report-Only] => pin-sha256="r5EfzZxQVvQpKo3AgYRaT7X2bDO/kj3ACwmxfdT2zt8="; pin-sha256="MaqlcUgk2mvY/RFSGeSwBRkI+rZ6/dxe/DuQfBT/vnQ="; pin-sha256="72G5IEvDEWn+EThf3qjR7/bQSWaS2ZSLqolhnO6iyJI="; pin-sha256="rrV6CLCCvqnk89gWibYT0JO6fNQ8cCit7GGoiVTjCOg="; max-age=60; report-uri="https://okta.report-uri.com/r/default/hpkp/reportOnly"
    [x-okta-request-id] => YMt8RRD8cfp1p1gOKscSkQAAA58
    [x-xss-protection] => 0
    [p3p] => CP="HONK"
    [access-control-expose-headers] => WWW-Authenticate
    [www-authenticate] => Bearer authorization_uri="http://dev-85960002.okta.com/oauth2/v1/authorize", realm="http://dev-85960002.okta.com", scope="openid", error="invalid_token", error_description="The access token is invalid.", resource="/oauth2/v1/userinfo"
    [content-language] => en
    [Strict-Transport-Security] => max-age=315360000; includeSubDomains
    [set-cookie] => sid=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/

Are you making a POST GET request to the correct userinfo endpoint?

The userinfo endpoint you are trying to hit needs to be the one associated with the authorization server you are using. The base url (everything before /v1/userinfo) for this request should match the ‘iss’ value present in the token.

You mean a GET request?

The below are the endpoints I use. I use the exact same endpoints on another app and it works fine.

You’re right, I meant GET. I said that only because I think you might be making a HEAD request instead.

Your endpoints do appear to be correct in that they all refer to the same authorization server. If you attempt to make the call manually in postman, does it work?