Problems with OAuth Token Configuration

edited December 2023 in Modeling

Hi all,

it has been a while since my team and I have been trying to perform the Anaplan Connect Token configuration correctly.

This one time, it seemed to be working for the first run, until I found out that the batch file runs correctly a second time only if remove the JKS file naturally generated in the user's folder during the first attempt.

To be even more specific, it means that each time I run the batch file I already ran at least once, I have to make sure the JKS file is removed from the user's folder, otherwise I get this error:

Do you guys know how to solve this issue?

Thanks in advance,




  • Hi @LucaRicci,

    It's a known bug in the Anaplan OAuth2 API for non-rotatable tokens - when you are authorizing the device (using URL with 8 character code), make sure you are NOT logged in Anaplan already. So the best is to open the link in the private browsing, only then login when asked to do so. This should make it the device code work as intended (until expiration defined in the configuration, not only for the first time).

    You can read more here:

  • @M.Kierepka Thanks for answering, I tried to follow your suggestion but still it's now working so I am probably missing something. What you mean is that I have to send the postman calls (both Client ID and Device Code), then run the batch file get the first error, copy in the private browsing the URL that has been generated and go back to the prompt command. After that I should be able to run any batch file without the postman phase of the process. Is that correct?

  • @LucaRicci Sorry, but if you are using Anaplan Connect, what does Postman has to do with it? Anaplan Connect fetches the Device Code automatically during token generation, the only thing you need to provide in the AC script is the OAuth2 Client ID (which you already done, as it's almost working). I think these steps should help you:

    1. Remove manually the JKS file that was generated during last run (this is equivalent to using —forceRegister command if you don't want to do it manually).
    2. Run the Anaplan Connect - you will be asked for authenticating the code via browser
    3. Copy the URL that you are asked to authenticate, but paste it in the private browsing
    4. You will be redirected to Anaplan page, push the accept button, then you will be asked to authenticate to Anaplan, and once you do it, you will get a message about the success and you can close the browser window.
    5. Your Anaplan Connect should finish the task successfully, and next time you run any script with this ClientID, it will not prompt you for the authentication and should work as intended.

    As it was working for you for every first time after authenticating the token, I assume you done almost everything correctly last time, so really the only difference is that you need to open the code validation in the fresh/private browser session.

  • LucaRicci
    edited December 2023

    @M.Kierepka Thanks, all of sudden I am getting a completely different error I have never seen. Do you know what it is?

  • Hi @LucaRicci,

    Not sure, I think it's the first time I see this kind of error. Let me send you the simplest script (which I usually use for config of OAuth2) — it works for me every time, I hope it will work for you. The only thing you need to do is to add your client ID (and if it's rotatable token, add also "—rotatable" flag).

    After first use, remember to remove argument "--forceRegister" to keep it, and then run it again, hopefully it will work (all it does is just lists all available workspaces, which is the most basic call and should never fail).

    @echo off
    rem for rotatable remember to add flag "--rotatable"
    set Command=.\AnaplanClient.bat -oauth-client-id ABC123 -d -auth "" --forceRegister -workspaces
    setlocal enableextensions enabledelayedexpansion || exit /b 1
    cd %~dp0
    @echo %Command%
    cmd /c %Command%