CRM 2013 – What is the WRPC Token and resolving INVALID_WRPC_TOKEN errors

Program testing can be used to show the presence of bugs, but never to show their absence!


I was tasked with load testing Microsoft Dynamics CRM 2013 and I quickly ran into some problems getting INVALID_WRPC_TOKEN error

Performance Testing

We tried to use Telerik for performance testing but this ended in failure because we couldn’t get the encoded guids from the responses.

So I am now trying Visual Studio Web Performance and Load tests, which you need Visual studio 2013 Ultimate or Visual studio 2015 Enterprise editions.

Visual studio – Web Performance and Load Test Project

token error 0

I won’t go into performance testing in this post but focus on the pesky token error.  Please take into account when I do mention performance testing I might get things completely wrong, this is because I’m learning about it, using the tried and tested way of trying it and making lots of mistakes (feel free to correct me in the comments)

How did I get the error

When you do performance testing you go through this process

  1. you click start recording
  2. this brings up an Internet Explorer browser
  3. Run through the process you want to test
  4. Stop recording

This captures all the HTTP traffic (looks like a fiddler trace).  If you haven’t used Fiddler I would recommend these two links to get started

When I ran the test of my recording I got an INVALID_WRPC_TOKEN error

token error

Which leads me to the question, what is an WRPC token?

What is a WRPC token

The first place to start the search should be the CRM SDK – Why CRM Developers should always start with the CRM SDK

It took quite a lot of searching but I finally got to this page

Key management in Microsoft Dynamics CRM

Microsoft Dynamics CRM uses two kinds of private encryption keys for deployments accessed over the Internet:

Web remote procedure call (WRPC) token key. This key is used to generate a security token, which helps make sure that the request originated from the user who made the request. This security token decreases the likelihood of certain attacks, such as a cross-site request forgery (one-click) attack.


The WRPC key’s purpose is to stop people using programs to send requests to CRM and trick it into return data.

The WRPC token is embedded into each request.  You maybe thinking once you work out the token you can use it every time time.

Back to the Microsoft page Key management in Microsoft Dynamics CRM for another quote

Key Regeneration and renewal

CRM ticket keys are automatically generated and renewed and then distributed, or deployed, to all computers running Microsoft Dynamics CRM or running a specific Microsoft Dynamics CRM Server 2013 role. These keys are regenerated periodically and, in turn, replace the previous keys. By default, key regeneration occurs every 24 hours.


I have bolded the key part, key regeneration occurs every 24 hours.  This is great for stopping bad people making naughty requests but it’s not so good for my load testing script which has the WRPC token embedded into it’s recording.

Other WRPC Token errors

Whilst I was searching for information about the WRPC token I found a few more errors I have listed below

An old CRM 4 error by the awesome David Jennaway, who sadly never writes about CRM on his blog any more, he used to be an awesome source of CRM developer information.  The first link is a discussion about it.

INVALID_WRPC_TOKEN: Validate WRPC Token: WRPCTokenState=Invalid, TOKEN_EXPIRY=4320, IGNORE_TOKEN=False, MS CRM 2011

It seems you can get a token error if you open CRM in two different browsers!

Access denied error on closing of Appointment in CRM 2011

The blog was getting an error when they changed to HTTPS binding.

INVALID_WRPC_TOKEN at associating records thru CRM 2011 UI

Unexpected error while bulk edit

Work around for token errors

The only workaround I have found with regards to WRPC token is to disable the token being used.

I found the answer on this blog page

You can add a registry key which will disable the CRM token check.

On the CRM Server, open REGEDIT

Go to


Create a DWORD registry key with the name IgnoreTokenCheck

Set the value to 1

Restart IIS or Recycle App pool


As with a lot of workaround this does mean your CRM is more open to cross site scripting attacks.

I wouldn’t recommend this for a production environment, unless it’s only a short term fix.

Back to my Web performance testing

I disable the check and my recordings were working without error.

Talking about Performance testing, Microsoft have released the CRM Peformance Toolkit for CRM 2015 but which is compatible with CRM 2013 (for free)

CRM-Performance-Toolkit for CRM 2013/CRM2015 is released

The tests will test all default entities and will provide a good starting point for creating your own tests.

Hopefully these tests will provide a way to get the WRPC token and save it as a parameter because turning off the WRPC token will only work for on premise CRM organisation because you cannot turn off this setting for CRM Online (you don’t have access to the server).

Hopefully with a bit of digging around I can work out how Microsoft have got round this WRPC token problem I was experiencing.