[BUG] OAuth token expiration disrupts autonomous workflows – refresh token handling needed

[brupelo]

Preflight Checklist

• [x] I have searched existing issues and this hasn't been reported yet
• [x] This is a single bug report (please file separate reports for different bugs)
• [x] I am using the latest version of Claude Code

What's Wrong?

OAuth token expiration disrupts autonomous workflows – refresh token handling needed

Environment:

• Claude Code version: 2.0.45
• Platform: Docker (headless/autonomous operation)

Problem

OAuth tokens expire during long-running autonomous tasks, causing 401 authentication_error failures that require manual /login intervention. When running multiple concurrent Claude Code instances dispatching work over extended periods (hours/days), token expiration halts all in-progress tasks simultaneously, leaving work in incomplete states.

API Error: 401 {"type":"error","error":{"type":"authentication_error","message":"OAuth token has expired. Please obtain a new token or refresh your existing token."},"request_id":"..."}

Combined with occasional 500 errors (separate issue, but compounding), sustained autonomous operation is currently not viable.

Why This Feels Like a Bug (Not Just a Security Feature)

I understand short-lived tokens are a security best practice—limiting exposure if credentials leak. However:

1. OAuth has a standard solution for this: refresh tokens. Short-lived access tokens + automatic refresh gives you both security AND seamless operation. The current implementation seems to require manual re-authentication rather than handling refresh transparently.

2. The failure mode is destructive. Tasks don't gracefully pause and resume—they leave branches and work in half-finished states. If the intent is to require periodic human check-ins, a cleaner approach would be to pause work cleanly and queue for resumption, not crash mid-task.

3. No visibility into expiration timing. I can't plan around this because I don't know when expiration will occur. If human oversight is the goal, at least let me see "token expires in X hours" so I can schedule accordingly.

4. If limiting autonomous operation is intentional, there are better mechanisms: explicit autonomous-mode opt-in, spending caps, task duration limits, or configurable session lengths. The current behavior doesn't prevent autonomous use—it just makes it frustrating and wastes work.

What I'm Trying to Do

Run multiple Claude Code instances in Docker containers, dispatching and processing issues continuously over several days. This requires:

• Reliable authentication that doesn't require babysitting
• Graceful handling of transient failures (auth, network, API errors)
• Ability to resume interrupted work

Question for Maintainers

Is the current behavior intentional to discourage long-running autonomous agents, or is this simply an implementation gap in the OAuth flow? If it's intentional, I'd appreciate understanding the reasoning—and would suggest that explicit guardrails (spending limits, duration caps, opt-in autonomous mode) would be a better UX than silent auth failures.

---

This is currently a significant blocker for autonomous agentic workflows. Happy to provide more details or test any proposed fixes.

What Should Happen?

Proposed Solutions (Pick Any)

1. Implement proper refresh token handling – Transparently refresh access tokens before expiration. This is the standard OAuth pattern.

2. Expose token lifetime configuration – Let users set token expiration duration (like Azure DevOps, GitHub PATs, etc.). Those running supervised can use short tokens; those running autonomous can accept the security trade-off.

3. Add session resumption – If auth fails mid-task, persist state so work can resume after re-authentication rather than leaving repos in broken states.

4. Show expiration time – At minimum, display when the current token expires (/status or similar) so users can plan around it.

Error Messages/Logs

API Error: 401 {"type":"error","error":{"type":"authentication_error","message":"OAuth token has expired. Please obtain a new token or refresh your existing
     token."},"request_id":"req_011CVWAKo6VpooYthEXLYEYe"} · Please run /login

Steps to Reproduce

Environment setup:

1. Run Claude Code in a Docker container (headless, no interactive terminal)
2. Authenticate via /login
3. Dispatch one or more long-running tasks (e.g., complex refactoring, multi-file changes, issue-driven workflows)

Reproduction:

1. Start a task that takes 30+ minutes, or start multiple concurrent tasks
2. Leave running unattended for several hours (I've seen this trigger within 2-4 hours, but exact timing is unpredictable)
3. Return to find all instances stopped with 401 authentication_error

Observed behavior:

• All running tasks fail simultaneously with OAuth expiration error
• Work is left in incomplete state (partial commits, uncommitted changes, mid-process branches)
• Requires manual /login to resume
• No warning before expiration occurs

Expected behavior:

• Token refreshes automatically before expiration
• Or: tasks pause gracefully and resume after re-authentication
• Or: at minimum, token expiration time is visible so users can plan around it

Frequency: Happens consistently when running tasks over extended periods. Not a rare edge case.

Note: Exact expiration timing is unknown—this is part of the problem. If there's a way to inspect token TTL, please share and I can provide more precise reproduction timing.

Claude Model

None

Is this a regression?

Yes, this worked in a previous version

Last Working Version

No response

Claude Code Version

2.0.45 (Claude Code)

Platform

Anthropic API

Operating System

Windows

Terminal/Shell

Windows Terminal

Additional Information

No response

[onikiienko]

We also observe this problem in Xcode. Have to sign out and log in once a day.

[toorusr]

If I am not entirely wrong, I was able to solve it by doing "claude setup-token" instead of /login within the interactive shell.

It says: "Your OAuth token (valid for 1 year)" and "✓ Long-lived authentication token created successfully!"

[lsscodes]

@toorusr I tried your suggestion and was able to create a long-lived aut token, but i am still getting this error in claude(code) destop app

[brupelo]

Hi guys, thanks for the feedback and suggestions! That sounds really good—exactly what was needed. /login won’t cut it. I haven’t had time to try it yet, but I’ll give it a shot once my usage is back… crazy how fast the Max plan gets used up—four days of idling already because all models maxed out in a blink of an eye. IMHO It’s quite expensive for the limited usage you get from the Claude API and the extra usage is very expensive, times when i used maxed out in few minutes, but that’s off-topic.

With this approach, I assume you’d be able to use a single authorization token that you can easily revoke from https://claude.ai/settings/claude-code and share across different agents, right?

Right now, I’m running multiple Docker environments, and in each one I have to log in manually once and then share credentials across all containers. It would be great if I could instead share a single token across all environments.

As long as this provides proper control over expiration and revocation, it sounds like the right solution.

[mitchcapper]

manual long lived token is really not the solution plenty of apps used refresh tokens and can properly refresh the session. Case and point simply restarted claude code and it is good to go, there is no reason it shouldn't be able to keep its session alive. @lsscodes the desktop app doesn't have a similar option thus the continued issue.

[ftballguy45]

now getting asked daily to relogin to claude desktop 👎

[ElCativoGER]

I am using claude Desktop and can´t login to Code. Everything ist fin but Code is not working. Always getting Token failure... /login does nothing Manually logoff login does nothing, still error. Can´t work anymore, please help. Running on Windows with Google Auth.