E_TOK_002 — Token decryption failed

AES-256-GCM decryption of a provider token failed at request time.

ERROR

E_TOK_002

AES-256-GCM decryption of a provider token failed at request time.

Why this happens

codingassist.bot stores provider OAuth tokens encrypted at rest with a per-tenant Data Encryption Key (DEK). When a job tries to use a token and decryption fails, you'll see this error.

The two common root causes are:

The DEK was rotated and the token wasn't re-encrypted — most often during a manual KMS rotation
The ciphertext is corrupt — extremely rare; usually the result of a bad migration

How to fix it

Pick the path that matches your situation.

Path A — DEK was rotated

Re-encrypt the affected tenant's tokens against the new DEK:

codingassist admin tokens reencrypt \
  --tenant <tenant_id> \
  --dek-version latest

The command re-fetches each token via OAuth refresh, encrypts it with the current DEK, and stores it. No downtime.

Path B — Ciphertext is corrupt

Force a fresh OAuth flow for the affected provider:

Disconnect the provider
From the dashboard go to Settings → Integrations and click Disconnect next to the affected provider.
Reconnect
Click Connect again and complete the OAuth flow. The new token will be encrypted with the current DEK.
Replay any failed reviews
Failed reviews are kept for 7 days and can be replayed: codingassist reviews replay --since 24h.

← Previous

Error codes

E_AC_001

Was this page helpful?

E_TOK_002 — Token decryption failed

AES-256-GCM decryption of a provider token failed at request time.

ERROR

E_TOK_002

AES-256-GCM decryption of a provider token failed at request time.

Why this happens

codingassist.bot stores provider OAuth tokens encrypted at rest with a per-tenant Data Encryption Key (DEK). When a job tries to use a token and decryption fails, you'll see this error.

The two common root causes are:

The DEK was rotated and the token wasn't re-encrypted — most often during a manual KMS rotation
The ciphertext is corrupt — extremely rare; usually the result of a bad migration

How to fix it

Pick the path that matches your situation.

Path A — DEK was rotated

Re-encrypt the affected tenant's tokens against the new DEK:

codingassist admin tokens reencrypt \
  --tenant <tenant_id> \
  --dek-version latest

The command re-fetches each token via OAuth refresh, encrypts it with the current DEK, and stores it. No downtime.

Path B — Ciphertext is corrupt

Force a fresh OAuth flow for the affected provider:

Disconnect the provider
From the dashboard go to Settings → Integrations and click Disconnect next to the affected provider.
Reconnect
Click Connect again and complete the OAuth flow. The new token will be encrypted with the current DEK.
Replay any failed reviews
Failed reviews are kept for 7 days and can be replayed: codingassist reviews replay --since 24h.

Was this page helpful?

E_TOK_002 — Token decryption failed

Disconnect the provider

Reconnect

Replay any failed reviews

E_TOK_002 — Token decryption failed

Disconnect the provider

Reconnect

Replay any failed reviews