We're using JWT authentication for calls to the Salesforce API. I set it up this summer and it was working well. The app could refresh the token whenever it needed to and storing the result in memcache.

This recently stopped working, I guess. My local memcache got flushed and I noticed that I started getting an error:

{u'error_description': u"user hasn't approved this consumer", u'error': u'invalid_grant'}

(Other machines that still hold the old token work fine.)

As far as I can tell, nothing about the API user or its relationship to the connected app has changed. The app's policy is "Admin approved users are pre-authorized", and a profile containing the user is listed in 'Profiles' on the app configuration page.

Has anybody run into this before?