401 Unauthorized when using Forge Viewer, but using CURL it returns 200 OK

Question

When initializing an instance of Forge Viewer, it is returning a 401 Unauthorized with a token generated on my server. But the same exact code generates a valid token for Model Derivative to convert a file to SVF. Using CURL to generate a token then accessing a manifest on Model Derivative also works. The credentials are correct, the code is correct, it all works in all paths, except when initializing the Viewer (and the same code worked until today early).

Is there a problem with Viewer authentication on Autodesk servers? Or something changed for token generation on the Viewer?

Edit: something in my server was creating a token with all kinds of permissions (read an write, data, bucket, etc.). Thanks to varunpatil's answer, I changed the token to use only 'viewables:read', and it loaded successfully.

New edit: it started to happen on my local system, with another account. Everything is set up correctly, yet tokens still come up invalid.

I've inspected them with https://www.jstoolset.com/jwt, and this is the header and payload:

{"alg":"RS256","kid":"--hidden--"}
{"scope":["viewables:read"],"client_id":"--hidden--","aud":"https://autodesk.com/aud/ajwtexp60","jti":"--hidden--","exp":1618599603}

Answer 1

It turns out that our server was caching the token, and in some cases wasn't updating it after expiration. Disabling the cache apparently solved the issue, although a new token will always be generated, independent of the expiration time.

Answer 2

use scope viewables:read

Please don'e use data: read for viewer, with that token users can read all the files. Ref: https://forge.autodesk.com/blog/new-viewablesread-scope