Part of the Luminate Online 15.5 upgrade included changes to session information in order to adhere to PCI compliant standards (described in depth in BB756339).

An auth token is a session identifier, and as such can no longer be passed in the URL when making API calls. This means that the "sso_auth_token" parameter must now be passed as a POST parameter rather than a URL parameter. If you view your API logs for one of the requests that returned the error code, you will see something that looks like the following:

"URL-https://secure2.convio.net/organization/site/CRTeamraiserAPI?method=getRegistration&api_key=key&v=1.0&fr_id=1001&sso_auth_token=5a9f5b8105eea7350966920f33f464f5d88a82f3.1011488.23888974"

Each parameter that is visible in the URL string (has &param=value) has been passed as a URL parameter rather than a POST parameter. The sso_auth_token at the very least must be sent as a POST parameter. You will be able to tell that is being accomplished when the parameter no longer appears in the URL string in your API logs. Below is an example of what a URL string would look like if all parameters were sent as a POST parameter rather than a URL parameter:

"URL-https://secure2.convio.net/organization/site/CRTeamraiserAPI"

Once the sso_auth_token is being sent as a POST parameter, retry your API calls to verify that the token is now correctly being used.