---
# nuzlocke-tracker-tatg
title: 'Bug: Intermittent 401 errors / failed save-load requiring page reload'
status: todo
type: bug
priority: high
created_at: 2026-03-21T21:50:48Z
updated_at: 2026-03-21T21:50:48Z
---

## Problem

During gameplay, the app intermittently fails to load or save data. A page reload fixes the issue. Likely caused by expired Supabase JWT tokens not being refreshed automatically before API calls.

## Current Implementation

- Auth uses Supabase JWTs verified with HS256 (`backend/auth.py:39-44`)
- Frontend gets token via `supabase.auth.getSession()` in `client.ts:16-21`
- `getAuthHeaders()` returns the cached session token without checking expiry
- When the token expires between interactions, API calls return 401
- Page reload triggers a fresh `getSession()` which refreshes the token

## Root Cause Analysis

`getSession()` returns the cached token. If it's expired, the frontend sends an expired JWT to the backend, which rejects it with 401. The frontend doesn't call `refreshSession()` or handle token refresh before API calls.

## Proposed Fix

- [ ] Add token refresh logic before API calls (check expiry, call `refreshSession()` if needed)
- [ ] Add 401 response interceptor that automatically refreshes token and retries the request
- [ ] Verify Supabase client `autoRefreshToken` option is enabled
- [ ] Test with short-lived tokens to confirm refresh works
- [ ] Check if there's a race condition when multiple API calls trigger refresh simultaneously