Cause: Currently the "admin token" is cached and upon checking the cache we verify the expiration on the token before using it but we have no logic to invalidate the cache if the response from the Keystone API says that the "admin token" is invalid. Consequence: Swift API requests for clients are dropped causing Error 401 on some RGW servers until service is restarted. Fix: There is probably multiple places in Keystone where it invalidates tokens, but one example where the "admin token" would be invalidated and return HTTP 401 status code is if the user that is configured in rgw_keystone_admin_user has it's password changed (even if it's the same password as the current one) then Keystone will invalidate it's cache and invalidated existing tokens even if they have not expired yet Result: Keystone is now able to invalidate it's cache and invalidated existing tokens even if they have not expired yet