Invalid access token type while Bearer was expected – How to solve this Elasticsearch exception

Opster Team

August-23, Version: 7.2-7.15

Briefly, this error occurs when Elasticsearch receives an invalid access token type during an authentication process. It’s expecting a “Bearer” token type, but it’s getting something different. To resolve this issue, you can check the token type you’re sending in your request. Ensure it’s a “Bearer” token. Also, verify that the token is correctly formatted and hasn’t expired. If you’re using an API client, check its configuration to ensure it’s set to use “Bearer” tokens for authentication.

This guide will help you check for common problems that cause the log ” Invalid access token type [{}]; while [Bearer] was expected ” to appear. To understand the issues related to this log, read the explanation below about the following Elasticsearch concepts: plugin.

Log Context

Log “Invalid access token type [{}]; while [Bearer] was expected” class name is We extracted the following from Elasticsearch source code for those seeking an in-depth context :

 rpConfig.getResponseType().equals(ResponseType.parse("code"))) {
 assert (accessToken != null) : "Access Token cannot be null for Response Type " + rpConfig.getResponseType().toString();
 final boolean isValidationOptional = rpConfig.getResponseType().equals(ResponseType.parse("code"));
 // only "Bearer" is defined in the specification but check just in case
 if (accessToken.getType().toString().equals("Bearer") == false) {
 throw new ElasticsearchSecurityException("Invalid access token type [{}]; while [Bearer] was expected";
 String atHashValue = idToken.getJWTClaimsSet().getStringClaim("at_hash");
 if (Strings.hasText(atHashValue) == false) {
 if (isValidationOptional == false) {


How helpful was this guide?

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?