# org.apache.kafka.common.errors.TransactionalIdAuthorizationException: Transactional ID authorization failed

- **ID:** `kafka/transactional-id-authorization-failed`
- **Domain:** kafka
- **Category:** auth_error
- **Verification:** ai_generated
- **Fix Rate:** 90%

## Root Cause

Producer's transactional.id is not authorized by broker ACLs for the WRITE operation on the transactional ID resource.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| 2.8.0 | active | — | — |
| 3.2.0 | active | — | — |
| 3.4.0 | active | — | — |

## Workarounds

1. **Add ACL for the transactional ID with WRITE permission for the producer principal using kafka-acls.sh.** (95% success)
   ```
   Add ACL for the transactional ID with WRITE permission for the producer principal using kafka-acls.sh.
   ```
2. **Use kafka-acls.sh to grant DESCRIBE and WRITE on the transactional ID resource.** (90% success)
   ```
   Use kafka-acls.sh to grant DESCRIBE and WRITE on the transactional ID resource.
   ```
3. **If using Kafka 3.0+, enable 'authorizer.class.name' with 'kafka.security.authorizer.AclAuthorizer' and add ACLs via AdminClient API.** (85% success)
   ```
   If using Kafka 3.0+, enable 'authorizer.class.name' with 'kafka.security.authorizer.AclAuthorizer' and add ACLs via AdminClient API.
   ```

## Dead Ends

- **** — Disabling ACLs globally bypasses security but introduces vulnerability; does not fix authorization logic. (95% fail)
- **** — Super users bypass ACLs but require broker restart; not a scalable solution for multiple producers. (80% fail)
- **** — New transactional ID still needs ACL authorization; error persists unless ACLs are updated. (90% fail)