Power Platform Community Forum Thread Details

Recently, some of our flows have stopped functioning due to authorization token validation errors. The issue is challenging because there are no failed flow runs recorded, the flows simply stop working, and we become aware of the problem through user complaints.

When a connection is created, Microsoft assigns it an expiration date. Once that token expires, the connection becomes invalid and is marked as "Invalid connection." To restore functionality, we need to manually open the flow and create a new connection using the same account, which effectively renews the token.

Is there a way to retrieve the expiration date of our technical user account so we can proactively manage and renew it before it expires?

The error message:

Error from token exchange: Bad Key authorization token. Token must be a valid JWT signed with HS256 Failed to validate token: IDX10249: X509SecurityKey validation failed. The associated certificate has expired

Categories:

Error handling

@CU04091338-0

You're encountering a token expiration issue in Power Automate flows, especially when using service accounts or technical users. Here's a breakdown of what’s happening and how to proactively manage it.

🔍 Root Cause

The error:

Error from token exchange: Bad Key authorization token. Token must be a valid JWT signed with HS256
Failed to validate token: IDX10249: X509SecurityKey validation failed. The associated certificate has expired.

This indicates that the OAuth token or certificate used to sign the token has expired. Power Automate uses stored tokens for connections, and these tokens can silently expire without triggering a failed flow run—especially if the flow isn’t triggered frequently.

✅ Key Insights from Microsoft

Token Expiry Behavior:
- Most OAuth tokens in Power Platform expire after 90 days
  1
  .
- If the token is revoked (e.g., due to password change, MFA policy, or certificate expiry), the connection becomes invalid.
- Power Automate does not proactively refresh tokens unless a flow run fails and marks the connection as broken
  1
  .
No Built-in Expiry Date Visibility:
- Currently, Power Automate does not expose token expiration dates in the UI or via API.
- You must rely on manual monitoring or flow run failures to detect expired tokens.

🛠️ Recommended Solutions

1. Proactive Monitoring Flow

Create a scheduled flow that:

Calls the Power Platform Admin API to list all connections.
Filters for connections with status = Invalid.
Sends an alert (email or Teams) when a connection is broken.

This won’t give you the expiration date, but it will notify you as soon as a connection breaks.

2. Use Service Principal (App Registration) Instead of User Account

Register an Azure AD App and use client credentials flow.
This avoids token expiration due to password or MFA changes.
You can manage certificate expiration centrally in Azure AD.

3. Rotate Certificates Before Expiry

If you're using certificate-based authentication, monitor the certificate expiry in Azure:

Go to Azure Portal > App Registrations > Certificates & Secrets.
Set up alerts for certificate expiration.

4. Manual Token Refresh

If using a user account:

Periodically re-authenticate the connection manually (e.g., every 60–75 days).
You can do this by clicking “Switch account” and logging in again with the same credentials.