# org.apache.kafka.common.errors.DelegationTokenAuthorizationException: Not authorized to access delegation tokens.

- **ID:** `kafka/delegation-token-auth-failure`
- **Domain:** kafka
- **Category:** auth_error
- **Verification:** ai_generated
- **Fix Rate:** 80%

## Root Cause

The client lacks the required ACL to manage or use delegation tokens, often due to missing 'CreateToken' or 'DescribeToken' permissions.

## Workarounds

1. **Grant the necessary ACL: `kafka-acls.sh --bootstrap-server localhost:9092 --add --allow-principal User:client_user --operation CreateToken --topic '*'`. Then retry the token request.** (85% success)
   ```
   Grant the necessary ACL: `kafka-acls.sh --bootstrap-server localhost:9092 --add --allow-principal User:client_user --operation CreateToken --topic '*'`. Then retry the token request.
   ```

## Dead Ends

- **** — Adding super.users in server.properties grants full access but is insecure and doesn't teach proper ACL management. (60% fail)
- **** — Restarting the broker doesn't change ACLs; the error persists until permissions are correctly configured. (95% fail)