nuzlocke-tracker/.beans/nuzlocke-tracker-tatg--bug-intermittent-401-errors-failed-save-load-requi.md

title, status, type, priority, created_at, updated_at

title	status	type	priority	created_at	updated_at
Bug: Intermittent 401 errors / failed save-load requiring page reload	todo	bug	high	2026-03-21T21:50:48Z	2026-03-21T21:50:48Z

Problem

During gameplay, the app intermittently fails to load or save data. A page reload fixes the issue. Likely caused by expired Supabase JWT tokens not being refreshed automatically before API calls.

Current Implementation

• Auth uses Supabase JWTs verified with HS256 (backend/auth.py:39-44)
• Frontend gets token via supabase.auth.getSession() in client.ts:16-21
• getAuthHeaders() returns the cached session token without checking expiry
• When the token expires between interactions, API calls return 401
• Page reload triggers a fresh getSession() which refreshes the token

Root Cause Analysis

getSession() returns the cached token. If it's expired, the frontend sends an expired JWT to the backend, which rejects it with 401. The frontend doesn't call refreshSession() or handle token refresh before API calls.

Proposed Fix

• Add token refresh logic before API calls (check expiry, call refreshSession() if needed)
• Add 401 response interceptor that automatically refreshes token and retries the request
• Verify Supabase client autoRefreshToken option is enabled
• Test with short-lived tokens to confirm refresh works
• Check if there's a race condition when multiple API calls trigger refresh simultaneously