ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Error 400 returned on REST API authentication request


Article ID: 227053


Updated On:


Endpoint Protection


Trying to access the Symantec Endpoint Protection Manager (SEPM) API using a defined Administrator account returns a 400 error:

Error connecting to client with address https://<SEPM server>:8446/sepm/api and port 8446, reason: 400 client Error: for url: {'errorCode':'400', 'appErrorCode'L ",'errorMessage': 'URLDecoder: Illegal hex characters in escape (%) pattern}.

2021-09-28 11:44:59,727 [https-openssl-apr-] ERROR c.s.s.s.c.e.h.GlobalControllerExceptionHandler - EXCEPTION: URLDecoder: Illegal hex characters in escape (%) pattern - Error at index 0 in: "rd"

Or, the API may return {"errorCode": "400", "appErrorCode": "", "errorMessage": "URLDecoder: Incomplete trailing escape (%) pattern"}.

2021-09-29 00:59:50,892 [https-openssl-apr-] ERROR c.s.s.s.c.e.h.GlobalControllerExceptionHandler - EXCEPTION: URLDecoder: Incomplete trailing escape (%) pattern 


When the administrator password contains a % (percent sign) it will be interpreted as an escape character.

For example, "Passw0%rd" is truncated to "Passw0" and the %rd throws an error due invalid hex characters.

Similarly, "Passwo%5d" would become "Passwo" and the %5d would be treated as "]", and the error may not be thrown.

Finally, if the password ends in "%", like "Passw0rd%", an error is thrown.


Change the administrator password used with the API so that it does not contain a "%", to avoid the issue.