[GH-ISSUE #7703] on stateless setup, calling getAccessToken does not refresh the access token when needed #19511

New Issue

GiteaMirror · 2026-04-15T18:42:56-05:00

GiteaMirror commented

2026-04-15 18:42:56 -05:00

Originally created by @stoompa on GitHub (Jan 30, 2026).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/7703

Is this suited for github?

Yes, this is suited for github

To Reproduce

Critical bug: access token never refreshes after expiry (breaks auth flow)

This has also been mentioned on Discord but didn’t get traction:

Summary

This appears to be a critical bug because it breaks the authentication flow entirely.

Once the accessToken expires, it is never refreshed. Instead, calls that should transparently refresh the token fail with a 400 BAD_REQUEST.

Observed behavior

When the token is expired, calling getAccessToken throws:

{
  status: 'BAD_REQUEST',
  body: [Object],
  headers: {},
  statusCode: 400,
  [cause]: [Object]
}

Current vs. Expected behavior

Current issue

The accessToken expires and is not automatically refreshed. In practice, the token expires every time and the auth flow breaks once it does.

Expected behavior

Calling getAccessToken should automatically refresh the expired accessToken, as described in the documentation, and return a valid token without requiring a full re-authentication flow.

What version of Better Auth are you using?

1.4.10

System info

{
  "system": {
    "platform": "darwin",
    "arch": "arm64",
    "version": "Darwin Kernel Version 25.1.0: Mon Oct 20 19:34:05 PDT 2025; root:xnu-12377.41.6~2/RELEASE_ARM64_T6041",
    "release": "25.1.0",
    "cpuCount": 14,
    "cpuModel": "Apple M4 Pro",
    "totalMemory": "48.00 GB",
    "freeMemory": "0.38 GB"
  },
  "node": {
    "version": "v22.17.1",
    "env": "development"
  },
  "packageManager": {
    "name": "npm",
    "version": "10.9.2"
  },
  "frameworks": [
    {
      "name": "next",
      "version": "~16.1.4"
    },
    {
      "name": "react",
      "version": "~19.2.1"
    }
  ],
  "databases": null,
  "betterAuth": {
    "version": "^1.4.10",
    "config": null
  }
}

Which area(s) are affected? (Select all that apply)

Client, Backend

Auth config (if applicable)

import { betterAuth } from "better-auth"
export const auth = betterAuth({
  plugins: [
    genericOAuth({
      config: [
        keycloak({
            clientId: process.env.KEYCLOAK_ID ?? '',
            clientSecret: process.env.KEYCLOAK_SECRET ?? '',
            issuer: process.env.KEYCLOAK_ISSUER ?? '',
          }),
      ]
    })
  ],

  session: {
    expiresIn: 10 * 60 * 60,
    updateAge: 30 * 60,
    cookieCache: {
      enabled: true,
      strategy: 'jwe',
      maxAge: 10 * 60 * 60,
      refreshCache: true
    }
  },
});

Additional context

No response

Originally created by @stoompa on GitHub (Jan 30, 2026). Original GitHub issue: https://github.com/better-auth/better-auth/issues/7703 ### Is this suited for github? - [x] Yes, this is suited for github ### To Reproduce ## Critical bug: access token never refreshes after expiry (breaks auth flow) This has also been mentioned on Discord but didn’t get traction: - https://discord.com/channels/1288403910284935179/1464286520776069326 - https://discord.com/channels/1288403910284935179/1461083247160328393 ### Summary This appears to be a critical bug because it breaks the authentication flow entirely. Once the `accessToken` expires, it is **never refreshed**. Instead, calls that should transparently refresh the token fail with a `400 BAD_REQUEST`. ### Observed behavior When the token is expired, calling `getAccessToken` throws: ```js { status: 'BAD_REQUEST', body: [Object], headers: {}, statusCode: 400, [cause]: [Object] } ``` ### Current vs. Expected behavior ## Current issue The `accessToken` expires and is not automatically refreshed. In practice, the token expires every time and the auth flow breaks once it does. ## Expected behavior Calling `getAccessToken` should automatically refresh the expired `accessToken`, as described in the documentation, and return a valid token without requiring a full re-authentication flow. ### What version of Better Auth are you using? 1.4.10 ### System info ```bash { "system": { "platform": "darwin", "arch": "arm64", "version": "Darwin Kernel Version 25.1.0: Mon Oct 20 19:34:05 PDT 2025; root:xnu-12377.41.6~2/RELEASE_ARM64_T6041", "release": "25.1.0", "cpuCount": 14, "cpuModel": "Apple M4 Pro", "totalMemory": "48.00 GB", "freeMemory": "0.38 GB" }, "node": { "version": "v22.17.1", "env": "development" }, "packageManager": { "name": "npm", "version": "10.9.2" }, "frameworks": [ { "name": "next", "version": "~16.1.4" }, { "name": "react", "version": "~19.2.1" } ], "databases": null, "betterAuth": { "version": "^1.4.10", "config": null } } ``` ### Which area(s) are affected? (Select all that apply) Client, Backend ### Auth config (if applicable) ```typescript import { betterAuth } from "better-auth" export const auth = betterAuth({ plugins: [ genericOAuth({ config: [ keycloak({ clientId: process.env.KEYCLOAK_ID ?? '', clientSecret: process.env.KEYCLOAK_SECRET ?? '', issuer: process.env.KEYCLOAK_ISSUER ?? '', }), ] }) ], session: { expiresIn: 10 * 60 * 60, updateAge: 30 * 60, cookieCache: { enabled: true, strategy: 'jwe', maxAge: 10 * 60 * 60, refreshCache: true } }, }); ``` ### Additional context _No response_

GiteaMirror added the core oauth bug labels 2026-04-15 18:42:57 -05:00

GiteaMirror commented

2026-04-15 18:42:58 -05:00

@better-auth-agent[bot] commented on GitHub (Jan 30, 2026):

It looks like you're experiencing a critical issue with the getAccessToken not refreshing the access token when it expires. This is indeed a recognized problem, as you've noted it breaks the authentication flow entirely.

From previous discussions and issues, it was highlighted that getAccessToken should ideally refresh the expired access token transparently. However, in your case, the API is returning a 400 BAD_REQUEST error instead, which indicates something might be misconfigured or not functioning as intended.

Here are a few steps to troubleshoot this issue:

Check provider configurations: Ensure that your providerId is correctly referenced and that the OAuth provider supports token refreshing.
Token Attributes: Confirm that your tokens indeed have an accessTokenExpiresAt attribute and that a refreshToken is available. If these are missing, it can lead to issues with token refreshing.
Refresh Logic: Since your bug report indicates potential internal issues with how tokens refresh, refer to any updates or fixes in the Better Auth documentation regarding token refresh handling.

If this issue persists, I recommend tagging Beka (@bekacru) or Max (@ping__) from the Better Auth team in your follow-up message for further assistance.

In the meantime, have you had a chance to review the latest updates or documentation regarding any changes to the token handling in Better Auth?

If you need more help, tag @better-auth-agent in a comment so I can respond.

Diagram • Discord • GitHub

@better-auth-agent[bot] commented on GitHub (Jan 30, 2026): It looks like you're experiencing a critical issue with the `getAccessToken` not refreshing the access token when it expires. This is indeed a recognized problem, as you've noted it breaks the authentication flow entirely. From previous discussions and issues, it was highlighted that `getAccessToken` should ideally refresh the expired access token transparently. However, in your case, the API is returning a `400 BAD_REQUEST` error instead, which indicates something might be misconfigured or not functioning as intended. Here are a few steps to troubleshoot this issue: 1. **Check provider configurations**: Ensure that your `providerId` is correctly referenced and that the OAuth provider supports token refreshing. 2. **Token Attributes**: Confirm that your tokens indeed have an `accessTokenExpiresAt` attribute and that a `refreshToken` is available. If these are missing, it can lead to issues with token refreshing. 3. **Refresh Logic**: Since your bug report indicates potential internal issues with how tokens refresh, refer to any updates or fixes in the Better Auth documentation regarding token refresh handling. If this issue persists, I recommend tagging Beka (@bekacru) or Max (@ping__) from the Better Auth team in your follow-up message for further assistance. In the meantime, have you had a chance to review the latest updates or documentation regarding any changes to the token handling in Better Auth? _If you need more help, tag @better-auth-agent in a comment so I can respond._  [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)

GiteaMirror commented

2026-04-15 18:42:59 -05:00

@stoompa commented on GitHub (Jan 30, 2026):

Tagging @Bekacru here

@stoompa commented on GitHub (Jan 30, 2026): Tagging @Bekacru here

GiteaMirror commented

2026-04-15 18:43:00 -05:00

@dosubot[bot] commented on GitHub (Jan 30, 2026):

This is a known and recurring limitation in Better Auth's stateless mode, especially with providers like Keycloak. In stateless setups, tokens and session/account state are stored in cookies (like account_data). These cookies expire (default 5 minutes) and are only refreshed on sign-in or when a provider token is actually refreshed. If the cookie expires or isn't updated, getAccessToken fails with errors like 400 BAD_REQUEST or "Account not found", breaking the auth flow. There is no built-in automatic refresh for the account cookie, and workarounds like polling a keep-alive endpoint or calling getAccessToken periodically do not reliably update the cookie's expiry or refresh the token in practice. The refreshCache strategy only updates the cookie expiration, not the token itself, unless a refresh is triggered and the cookie is still present.

This limitation is well-documented and affects both client and backend flows. For production, maintainers and users recommend using at least minimal persistent storage for user/account data, or implementing custom logic to manage token storage and refresh if you must remain stateless. There are also Next.js-specific issues: if you call getAccessToken during Server Component rendering and a token refresh is needed, the Set-Cookie header is dropped, causing a refresh loop and stale cookies. The recommended workaround is to perform token refresh in middleware or route handlers before SSR begins, where cookies can be set properly.

Stateless auth support is still maturing in Better Auth, and users have reported moving away from it due to these issues. If you need robust token/session management, a persistent store is currently the only reliable option. More details and workarounds are discussed in these threads:

Let me know if you want more details on custom workarounds or have questions about your specific setup.

To reply, just mention @dosu.

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

@dosubot[bot] commented on GitHub (Jan 30, 2026):  This is a known and recurring limitation in Better Auth's stateless mode, especially with providers like Keycloak. In stateless setups, tokens and session/account state are stored in cookies (like `account_data`). These cookies expire (default 5 minutes) and are only refreshed on sign-in or when a provider token is actually refreshed. If the cookie expires or isn't updated, `getAccessToken` fails with errors like 400 BAD_REQUEST or "Account not found", breaking the auth flow. There is no built-in automatic refresh for the account cookie, and workarounds like polling a keep-alive endpoint or calling `getAccessToken` periodically do not reliably update the cookie's expiry or refresh the token in practice. The `refreshCache` strategy only updates the cookie expiration, not the token itself, unless a refresh is triggered and the cookie is still present. This limitation is well-documented and affects both client and backend flows. For production, maintainers and users recommend using at least minimal persistent storage for user/account data, or implementing custom logic to manage token storage and refresh if you must remain stateless. There are also Next.js-specific issues: if you call `getAccessToken` during Server Component rendering and a token refresh is needed, the Set-Cookie header is dropped, causing a refresh loop and stale cookies. The recommended workaround is to perform token refresh in middleware or route handlers before SSR begins, where cookies can be set properly. Stateless auth support is still maturing in Better Auth, and users have reported moving away from it due to these issues. If you need robust token/session management, a persistent store is currently the only reliable option. More details and workarounds are discussed in these threads: - [Stateless mode limitations and workarounds](https://github.com/better-auth/better-auth/discussions/6715) - [Known issues with getAccessToken in stateless mode](https://github.com/better-auth/better-auth/issues/2202#issuecomment-3471902430) - [Next.js App Router Set-Cookie bug](https://github.com/better-auth/better-auth/issues/7394) Let me know if you want more details on custom workarounds or have questions about your specific setup.  *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/7cf685e8-5ebb-4c86-9947-9ec7e9b57271?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/7cf685e8-5ebb-4c86-9947-9ec7e9b57271?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/7cf685e8-5ebb-4c86-9947-9ec7e9b57271?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/7cf685e8-5ebb-4c86-9947-9ec7e9b57271?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/7cf685e8-5ebb-4c86-9947-9ec7e9b57271?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/7cf685e8-5ebb-4c86-9947-9ec7e9b57271?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/7cf685e8-5ebb-4c86-9947-9ec7e9b57271?feedback_type=other)</sup> [![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github) [![Open in Cursor](https://dosu.dev/dosu-in-cursor.svg)](https://cursor.com/link/prompt?text=This%20is%20a%20known%20and%20recurring%20limitation%20in%20Better%20Auth%27s%20stateless%20mode%2C%20especially%20with%20providers%20like%20Keycloak.%20In%20stateless%20setups%2C%20tokens%20and%20session/account%20state%20are%20stored%20in%20cookies%20%28like%20%60account_data%60%29.%20These%20cookies%20expire%20%28default%205%20minutes%29%20and%20are%20only%20refreshed%20on%20sign-in%20or%20when%20a%20provider%20token%20is%20actually%20refreshed.%20If%20the%20cookie%20expires%20or%20isn%27t%20updated%2C%20%60getAccessToken%60%20fails%20with%20errors%20like%20400%20BAD_REQUEST%20or%20%22Account%20not%20found%22%2C%20breaking%20the%20auth%20flow.%20There%20is%20no%20built-in%20automatic%20refresh%20for%20the%20account%20cookie%2C%20and%20workarounds%20like%20polling%20a%20keep-alive%20endpoint%20or%20calling%20%60getAccessToken%60%20periodically%20do%20not%20reliably%20update%20the%20cookie%27s%20expiry%20or%20refresh%20the%20token%20in%20practice.%20The%20%60refreshCache%60%20strategy%20only%20updates%20the%20cookie%20expiration%2C%20not%20the%20token%20itself%2C%20unless%20a%20refresh%20is%20triggered%20and%20the%20cookie%20is%20still%20present.%0A%0AThis%20limitation%20is%20well-documented%20and%20affects%20both%20client%20and%20backend%20flows.%20For%20production%2C%20maintainers%20and%20users%20recommend%20using%20at%20least%20minimal%20persistent%20storage%20for%20user/account%20data%2C%20or%20implementing%20custom%20logic%20to%20manage%20token%20storage%20and%20refresh%20if%20you%20must%20remain%20stateless.%20There%20are%20also%20Next.js-specific%20issues%3A%20if%20you%20call%20%60getAccessToken%60%20during%20Server%20Component%20rendering%20and%20a%20token%20refresh%20is%20needed%2C%20the%20Set-Cookie%20header%20is%20dropped%2C%20causing%20a%20refresh%20loop%20and%20stale%20cookies.%20The%20recommended%20workaround%20is%20to%20perform%20token%20refresh%20in%20middleware%20or%20route%20handlers%20before%20SSR%20begins%2C%20where%20cookies%20can%20be%20set%20properly.%0A%0AStateless%20auth%20support%20is%20still%20maturing%20in%20Better%20Auth%2C%20and%20users%20have%20reported%20moving%20away%20from%20it%20due%20to%20these%20issues.%20If%20you%20need%20robust%20token/session%20management%2C%20a%20persistent%20store%20is%20currently%20the%20only%20reliable%20option.%20More%20details%20and%20workarounds%20are%20discussed%20in%20these%20threads%3A%20%20%0A-%20%5BStateless%20mode%20limitations%20and%20workarounds%5D%28https%3A//github.com/better-auth/better-auth/discussions/6715%29%0A-%20%5BKnown%20issues%20with%20getAccessToken%20in%20stateless%20mode%5D%28https%3A//github.com/better-auth/better-auth/issues/2202%23issuecomment-3471902430%29%0A-%20%5BNext.js%20App%20Router%20Set-Cookie%20bug%5D%28https%3A//github.com/better-auth/better-auth/issues/7394%29%0A%0ALet%20me%20know%20if%20you%20want%20more%20details%20on%20custom%20workarounds%20or%20have%20questions%20about%20your%20specific%20setup.) [![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot) [![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/7703)

GiteaMirror commented

2026-04-15 18:43:01 -05:00

@Lookwe69 commented on GitHub (Mar 23, 2026):

Any news ?

@Lookwe69 commented on GitHub (Mar 23, 2026): Any news ?

Sign in to join this conversation.

Branches Tags

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/turbo-2.9.14

changeset-release/main

main

2026-05-14/fix/passkey-verify-error-and-claim

dependabot/npm_and_yarn/samlify-2.13.0

dependabot/npm_and_yarn/ws-8.20.1

changeset-release/next

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-519ef7475f

dependabot/github_actions/github-actions-98f3470200

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

2026-05-13/ci/stabilize-docker-startup

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#19511

[GH-ISSUE #7703] on stateless setup, calling getAccessToken does not refresh the access token when needed #19511

Is this suited for github?

To Reproduce

Critical bug: access token never refreshes after expiry (breaks auth flow)

Summary

Observed behavior

Current vs. Expected behavior

Current issue

Expected behavior

What version of Better Auth are you using?

System info

Which area(s) are affected? (Select all that apply)

Auth config (if applicable)

Additional context

[GH-ISSUE #7703] on stateless setup, calling `getAccessToken` does not refresh the access token when needed #19511