Problem
When the OAuth refresh token expires (not the access token), Clawdbot keeps trying to refresh and failing, without prompting for re-authentication. The user sees repeated failures until they manually re-authenticate.
Expected Behavior
- Clawdbot should detect when a refresh attempt fails due to an expired/invalid refresh token
- It should proactively warn the user (or auto-prompt) for re-authentication
- Ideally, it should track refresh token expiry and warn before it expires (like it does for access tokens)
Actual Behavior
- Auto-refresh of access tokens works fine for days
- When the refresh token expires, Clawdbot logs errors repeatedly but takes no recovery action:
OAuth token refresh failed for anthropic: Failed to refresh OAuth token for anthropic. Please try again or re-authenticate.
- The gateway keeps trying the dead refresh token on subsequent requests
- User must manually diagnose and re-authenticate
Logs Showing the Issue
✓ Jan 20-24: Auto-refresh working fine
[agents/auth-profiles] wrote refreshed credentials to claude cli keychain
(every ~8 hours)
✓ Jan 24 21:37 UTC: Last successful refresh
✗ Jan 25 09:44 UTC: FIRST FAILURE
OAuth token refresh failed for anthropic
✗ Failures continued at 17:44, 17:52, 18:04, 18:06 UTC
(All failed with same error - no recovery attempted)
Root Cause
OAuth has two tokens:
- Access token - short-lived (~8 hours), Clawdbot refreshes this automatically ✓
- Refresh token - longer-lived but NOT infinite, used to get new access tokens
Clawdbot tracks access token expiry but not refresh token expiry. When the refresh token dies, there's no detection or recovery path.
Additional Context
User investigation found multiple credential stores that can get out of sync:
- macOS Keychain (
Claude Code-credentials)
~/.clawdbot/credentials/oauth.json~/.clawdbot/agents/main/auth-profiles.json
The external-cli-sync logic reads from keychain but may not update all profile stores consistently.
Suggested Fix
- Detect refresh failures (HTTP 400/401 from token endpoint) and mark the auth profile as needing re-authentication
- Surface a clear message to the user: "Refresh token expired - please run
clawdbot configure or claude login"
- Optionally: track refresh token expiry (if available in the OAuth response) and warn proactively
Environment
- Clawdbot version: 2026.1.24-3
- macOS 15.x (Sequoia)
- Auth method: Claude CLI OAuth (keychain sync)
Problem
When the OAuth refresh token expires (not the access token), Clawdbot keeps trying to refresh and failing, without prompting for re-authentication. The user sees repeated failures until they manually re-authenticate.
Expected Behavior
Actual Behavior
Logs Showing the Issue
Root Cause
OAuth has two tokens:
Clawdbot tracks access token expiry but not refresh token expiry. When the refresh token dies, there's no detection or recovery path.
Additional Context
User investigation found multiple credential stores that can get out of sync:
Claude Code-credentials)~/.clawdbot/credentials/oauth.json~/.clawdbot/agents/main/auth-profiles.jsonThe
external-cli-synclogic reads from keychain but may not update all profile stores consistently.Suggested Fix
clawdbot configureorclaude login"Environment