We’re hitting a weird issue with our OAuth2 token management in the WFM scheduler. The app uses the client credentials flow to get an access token. Everything works fine for the first hour. Then the token expires.
The code catches the expiry, calls /oauth/token with grant_type=refresh_token, and gets a fresh 200 OK response with a new access_token and expires_in. The JSON payload looks good. We store the new token in memory.
Immediately after that success, we try a simple GET to /api/v2/users/me. We get a 401 Unauthorized. The response body says "error":"invalid_token","error_description":"The access token is invalid".
It’s not a permission issue. The token works for about 30 seconds after the refresh, then fails again. Then we refresh again, and it works for 30 seconds. It feels like a clock skew issue between our server and the Genesys auth server. Our server time is set via NTP and matches US/Central time perfectly.
Here is the relevant Python snippet:
if is_token_expired():
new_token = refresh_oauth_token(refresh_token)
headers['Authorization'] = f"Bearer {new_token['access_token']}"
response = requests.get(USERS_ME_URL, headers=headers)
print(response.status_code) # 401
Is there a way to force the token validation to ignore slight time differences? Or are we missing a step in the refresh flow?