Problem
When using the Terraform CLI or making direct API calls to Terraform Enterprise, actions using a User API authentication token fail with a 401: Unauthorized error.
Cause
When SAML is enabled in Terraform Enterprise, User API tokens are temporarily disabled when a user's SAML-authenticated web session expires. This security measure ensures that team membership changes from the identity provider are correctly synchronized upon reauthentication.
Terraform Enterprise relies on your identity provider for team membership mapping, and a user's permissions may have changed since their last session. This behavior is detailed in the API Token Expiration documentation.
This restriction only affects user-specific tokens, not team or organization tokens.
The API token session timeout is a site-wide setting configurable by an administrator at https://<TFE_HOSTNAME>/app/admin/saml. The default session timeout is two weeks.
Solution
To re-enable the User API token, you must refresh the associated web session by reauthenticating.
- Navigate to the Terraform Enterprise UI session page at
https://<TFE_HOSTNAME>/session. - Log in using your SAML credentials to establish a new, valid web session.
Once the session is refreshed, the existing User API token will be re-enabled and can be used for API calls and CLI operations.
Outcome
After reauthentication, API calls and Terraform CLI commands using the User API token should process successfully without 401: Unauthorized errors.