DEP/ADE server token rejected even though expiry is 6+ months away — is this a known issue?

I'm a third-party MDM developer using the Automated Device Enrollment (DEP) cloud service API.

My flow is the standard token exchange: I upload my public key to Apple Business Manager, download the encrypted server token, and store the resulting OAuth credentials (consumer_key, consumer_secret, access_token, access_secret) to authenticate and fetch device information.

Recently I've started seeing authentication failures on tokens whose access_token_expiry still has 6+ months of validity remaining.

The credentials were working fine and then began getting rejected, with no change on my side. My questions for anyone who has seen this:

  1. Has anyone else observed DEP/ADE server tokens being rejected well before their stated access_token_expiry?
  2. What are the known triggers for early invalidation? (e.g., the ABM user who created the MDM server being deactivated or having a role change, the token being re-downloaded/regenerated, edits to the MDM server record, or Apple-side session invalidation.)
  3. Is there a supported way to detect that a still-unexpired token has been invalidated, other than catching the auth failure at request time?

I want to confirm whether this is expected behavior tied to the ABM account/server lifecycle rather than the token's expiry date, so I can handle it correctly (i.e., prompt for a token re-download) instead of treating it as a bug.

Any confirmation, similar reports, or official guidance would be appreciated. Thanks.

Answered by Apple Developer Support in 897002022

Thank you for reaching out about that scenario.

The Apple Business User Guide documents the below expectations for when a token renewal is required.

In short, yes there are scenarios where it is indeed expected that a device management service token for the DEP API will get invalidated before its expiration date.


A user with the proper permissions needs to replace the active token on an external device management service in these situations:

  • When creating a new public key or generating a new token
  • When the user who downloaded the token changes their Managed Apple Account password

https://support.apple.com/guide/business/link-to-an-external-device-management-service-axm1c1be359d/web

Thank you for reaching out about that scenario.

The Apple Business User Guide documents the below expectations for when a token renewal is required.

In short, yes there are scenarios where it is indeed expected that a device management service token for the DEP API will get invalidated before its expiration date.


A user with the proper permissions needs to replace the active token on an external device management service in these situations:

  • When creating a new public key or generating a new token
  • When the user who downloaded the token changes their Managed Apple Account password

https://support.apple.com/guide/business/link-to-an-external-device-management-service-axm1c1be359d/web

DEP/ADE server token rejected even though expiry is 6+ months away — is this a known issue?
 
 
Q