Auth token expiring?

I have…

I’m submitting a…

  • [x] Regression (a behavior that stopped working in a new release)
  • [ ] Bug report
  • [ ] Performance issue
  • [ ] Documentation issue or request

Current behavior

I have a “middle man” between my app and squidex (using YARP in a .NET backend) which takes care of retrieving auth tokens for interacting with the Squidex API.

Today I noticed that I was getting 401 errors, and it seems an Squidex auth token that was working, stopped working (it hasn’t expired).

I have logic to get a new token when the old one expires, so it isn’t that it’s expired, it just seems to have stopped working.

Not sure if this is related, but I’ve noticed I’ve been prompted to log in when going to today (on more than one occasion).

Expected behavior

The auth tokens continue to work until they expire.

Minimal reproduction of the problem

Not sure how to reproduce this one. I’ll keep an eye on it here, add some logging to my api to see if I can get something useful for debugging purposes.


App Name:

  • [ ] Self hosted with docker
  • [ ] Self hosted with IIS
  • [ ] Self hosted with other version
  • [x] Cloud version

Me too and I am not sure why it happened tbh. But in general you should not trust a token. Lets say we are hacked and have to deploy a fix with new private keys, then all token would become invalid.

OK, am I better to just request a new token for every call instead?

I implemented caching just to save making that additional request for every graphql call, but happy to try a different approach.

Here’s what I’m currently doing…

    public async ValueTask<string> GetToken()
        if (_token == null || _expiry.BeforeOrEqualTo(DateTime.UtcNow))
            _token = await RequestNewToken();
            _expiry = DateTime.UtcNow.AddSeconds(_token.expires_in);
            return _token.access_token;

        return _token.access_token;

No, this would kill performance. This is how I solve it in the SDK:

Got it, so try using the token, if it fails get a new one and try again (essentially)?

1 Like

Yes. I guess you could use this part of the SDK, if you want. There is also a method CreateClient() or so on the ISquidexClient class. Then you get a raw HttpClient with authentication and you could use that to implement your reverse proxy. Not sure if it helps with YARP.

1 Like


This actually made me realise YARP was a bit overkill for what I’m doing here, so I just wrote a little bit of code to handle it myself, and adopted a similar approach as in the example you shared, to fetch a new token if the old one stops working for any reason.

Thanks for the nudge in the right direction :slight_smile:

1 Like

I have also built a simple proxy in node:

Just for demo purposes.

I am having the exact same issue.

We request new tokens when the old expired, however, we get 401 responses back.

It was working fine till about a week or 2 ago.

We are using the cloud version of Squidex.

When we open an ingocnito window and clear application caches, it works fine, however, if we use a token that was issued before, but has not expired yet, it fails.

Is there anything we can do?

Should we perhaps create a new client instead of using the old client that we used before?

I can only give the same answer as above…

1 Like

Ok thanks @Sebastian, I added a second check that, even if the token is not expired yet, if it comes back with a 401 status, then I ask for a new token again.

This seems to work.


1 Like