AG8001 Invalid Token even with fresh login

shahnawaz.pe 0

Title:** SmartAPI order placement – AG8001 Invalid Token even with fresh login (Client M173002)

Hi Team,

I am facing a consistent AG8001 - Invalid Token error on the order placement API for my account M173002, even when using a freshly generated jwtToken from generateSession.

Login works fine (Python SDK)

I am using the official smartapi-python SDK:

from SmartApi.smartConnect import SmartConnect
import pyotp, json

API_KEY = "hbeV0h3A"        # for M173002
CLIENT_CODE = "M173002"
PASSWORD = "<hidden>"
TOTP_SECRET = "<hidden>"

obj = SmartConnect(api_key=API_KEY)
totp = pyotp.TOTP(TOTP_SECRET).now()
data = obj.generateSession(CLIENT_CODE, PASSWORD, totp)

print("Login response:", json.dumps(data, indent=2))

This returns:

{
  "status": true,
  "message": "SUCCESS",
  "data": {
    "clientcode": "M173002",
    "jwtToken": "Bearer eyJhbGciOiJIUzUxMiJ9....uiswy9BT8U...",
    "refreshToken": "...",
    "feedToken": "...",
    "exchanges": ["nse_fo","nse_cm","cde_fo","ncx_fo","bse_fo","bse_cm","mcx_fo"],
    "products": ["MARGIN","MIS","NRML","CNC","CO","BO"]
  }
}

So authentication, exchanges, and products are all fine and I receive a valid jwtToken.

2) Immediate order placement via raw HTTP (no delay)

Right after login, I call the order endpoint using the same API key and the same jwtToken:

import requests, json

url = "https://apiconnect.angelone.in/rest/secure/angelbroking/order/v1/placeOrder"

headers = {
    "X-API-Key": "hbeV0h3A",  # same as used in SmartConnect
    "Authorization": "Bearer eyJhbGciOiJIUzUxMiJ9....uiswy9BT8U...",
    "X-ClientLocalIP": "127.0.0.1",
    "X-ClientPublicIP": "127.0.0.1",
    "X-MACAddress": "00:00:00:00:00:00",
    "X-UserType": "USER",
    "X-SourceID": "WEB",
    "Accept": "application/json",
    "Content-Type": "application/json"
}

payload = {
    "variety": "NORMAL",
    "tradingsymbol": "NIFTY24MAR2625700PE",
    "symboltoken": "62792",
    "transactiontype": "BUY",
    "exchange": "NFO",
    "ordertype": "MARKET",
    "producttype": "NRML",
    "duration": "DAY",
    "price": "0",
    "triggerprice": "0",
    "quantity": "1"
}

resp = requests.post(url, headers=headers, json=payload)
print("Status code:", resp.status_code)
print("Raw body repr:", repr(resp.text))

Actual response:

Status code: 200
Raw body repr: '{"success":false,"message":"Invalid Token","errorCode":"AG8001","data":""}'
JSON body: {'success': False, 'message': 'Invalid Token', 'errorCode': 'AG8001', 'data': ''}

Important notes:

X-API-Key in login and in order request is exactly the same: hbeV0h3A.
Authorization header uses the fresh jwtToken returned by generateSession (no manual editing except removing the “Bearer ” when needed).
The order request is sent immediately after login in the same session, so token expiry is not the issue.
IP headers (X-ClientLocalIP, X-ClientPublicIP) and other mandatory headers are present.

Still, the order endpoint always returns AG8001 - Invalid Token.

3) What I suspect

The auth service is issuing a jwtToken/refreshToken correctly (SUCCESS response).
But the order microservice is rejecting the same token with AG8001.
This looks like a backend token validation / mapping issue between the auth service and the order service for my API key.

4) Request

Please check the SmartAPI backend configuration for:

Client Code: M173002
API Key: hbeV0h3A

Specifically:

Verify that tokens issued by generateSession for this API key are accepted by the order/v1/placeOrder service.
Confirm if there are any additional requirements (IP whitelisting, device binding, etc.) beyond the headers shown above.
Fix the AG8001 behaviour or let me know if anything needs to be changed on my side.

Thanks in advance.

algo_trading_50

@shahnawaz-pe-0 Yes this issue exists. Seems like the generateSession is creating access_token for older SmartAPI apps and not the app created from "New Login" with primary IP.