2015-10-30 10:59:13 -0500 answered a question Refresh revoked token in horizon/keystone Haneef Ali is correct in that you can get a scoped token from an unscoped token. You could do it by calling openstack_auth.backend.KeystoneBackend().authenticate(token=unscoped_token)  Unfortunately, it won't work for you in this case, because the unscoped token is being invalidated along with the scoped tokens, at least with my version of keystone. See: /keystone/token/provider.py:_delete_user_tokens_callback As a result, trying this call just 401's on the call to Keystone. I've validated that this is the problem by revalidating the token (update the valid column back to 1 in the unscoped_token's record), and then calling authenticate, which then succeeds. I think Keystone would need to be altered such that the unscoped tokens were not invalidated.