During the upgrade of the CredHub Service Broker Tile from version 1.6.4 to 1.6.7, the deploy-all errand failed when pushing the 'setup' application. This application runs a ./seed.sh script that runs a curl using admin client credentials but fails to authenticate with UAA. 

2026-01-25T03:51:06.37+0800 [APP/TASK/68d51230/0] ERR curl: (22) The requested URL returned error: 401

The 401 Unauthorized error is a result of a special character in the UAA admin client secret. The curl command is unable to handle certain special characters correctly, preventing successful authentication.

adminToken=$(curl -f 'https://uaa.service.cf.internal:8443/oauth/token' -X POST \
  -d "client_id=$UAA_ADMIN_CLIENT&client_secret=$UAA_ADMIN_CLIENT_SECRET&grant_type=client_credentials&token_format=opaque&response_type=token")

List of special characters that may cause this 401 issue when updating to a new admin client secret.

Reserved characters that MUST be encoded:
% → %25 (percent sign - must be encoded first to avoid double-encoding)
& → %26 (ampersand - separates parameters)
= → %3D (equals - separates key from value)
+ → %2B (plus sign - represents space in URL encoding)
# → %23 (hash/fragment identifier)
? → %3F (question mark - starts query string)
/ → %2F (forward slash)
: → %3A (colon)
@ → %40 (at sign)
! → %21 (exclamation mark)
$ → %24 (dollar sign)
' → %27 (single quote)
( → %28 (left parenthesis)
) → %29 (right parenthesis)
* → %2A (asterisk)
, → %2C (comma)
; → %3B (semicolon)
Space character:
(space) → %20 or + (in form data, space is often encoded as +)
Other special characters:
[ → %5B (left bracket)
] → %5D (right bracket)
{ → %7B (left brace)
} → %7D (right brace)
| → %7C (pipe)
\ → %5C (backslash)
^ → %5E (caret)
~ → %7E (tilde)
`` → %60 (backtick) - " → %22 (double quote) - < → %3C (less than) - > → %3E (greater than)

Editing the script manually by escaping the special character on the deploy-all VM will not work because the seed.sh script fetches the broker client secret at runtime so the edit doesn't persist. The only way to currently resolve this issue is to update to a new admin client secret that does not contain any of the special characters.

The product team is working on a new release of credhub service broker with a script to url-encode the secret value. The KB will be updated once it is released with the specific patch version.