[v4] API token get invalidated seemingly at random

[ovlb]

Bug report

Describe the bug

We have a Strapi instance running on Digital Ocean. We use the API from it to deploy a site on Netlify.

When creating an API key, the first build always succeeds. After that it gets weird. We had some tokens which worked for two or three deploys, another one which worked for around 24 hours. The last two were returning 401 errors after the first deploy.

Here’s what we ruled out so far:

1. Rate limiting. I created a token last night, but the forst deploy this morning (~9 hours after last deploy and token creation was failing). And we had a token working for almost a day where we sometimes multiple deploys in ~90 seconds were working correctly.
2. [v4] npm install does not work with npm 8.3.0 #12232. I downgraded Node to v14 and NPM to v6 yesterday, and the problem is still creeping up.
3. Config errors. We use the netlify.toml file to store the API key, which does not change. And we can reproduce the error in Paw/Postman when using the key

The problem did not show up during local development but only since we use the «proper» deploy with DO/Netlify.

For now, we’ve changed the access permissions for the necessary post types to be public, as we must publish the prod site this evening. But that’s obviously not a long term solution.

Is there any config we might have missed?

Steps to reproduce the behavior

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

Expected behavior

An API key should work.

System

• Node.js version: v14/v16
• NPM version: v6/v8
• Strapi version: v4.0.4/v4.0.5
• Database: Postgres 12
• Operating system: Ubuntu

Additional context

Add any other context about the problem here.

[kibblerz]

Are you using a custom plugin?

[ovlb]

No. The settings are generated through Settings -> API Tokens.

[enflam3]

Hello, Iam also having sort of same situation with both Next.js frontend and Strapi backend sitting at Digital Ocean App platform.
When I make changes and push/redeploy Strapi App all my previous content + newly added stuff seems to deploy fine as I am using same managed DB. But I always have to regenerate new API token and update frontend env variables with newest token after each strapi redeploy. Otherwise old API token shows as persistent but frontend throws 401 Unauthorized when making requests.

[ovlb]

I checked our deploy logs and the failed frontend deploys relate to backend deploys on our site, too.

[MichaelLegg]

This sounds similar to what we're getting too over at #12212
Sometimes it seems almost random when they invalidate.

[derrickmehaffy]

Can't reproduce locally, need additional basic steps to reproduce 🤔

[ovlb]

Unfortunately, it’s impossible to reproduce this locally. It only seems to happen in a remote deployment environment. I’ve been working on this project since December and the issue came up only after we set up the prod env two days ago.

[MichaelLegg]

@ovlb Do you find that if you point your local version to look at the same database as your deployed version, that tokens don't work across both as shown here?:
https://www.loom.com/share/33ac3ffee9ee4371aff07627d7fbe9d2

I was finding that to be the case, in addition to the tokens becoming seemingly randomly invalidated on the hosted environment.

Are tokens somehow linked to the environment the service is deployed to? And perhaps changes in the environment, or the service perhaps being shutdown/moved and restarted on a different physical server on Digital Ocean, or in my case Heroku, is causing them to become invalid?