Looking for advice on handling token rotation for CXone API calls within a Pulumi custom provider. I’m building a TypeScript provider to manage CXone Studio snippets and I need to hit the /api/v2/oauth/token endpoint using the client_credentials grant. The issue is that the access_token expires after an hour and my provider state gets stale or fails on subsequent runs if I don’t handle refresh correctly. Here is my current fetch logic: const tokenResp = await fetch(‘https://api.niceincontact.com/api/v2/oauth/token’, { method: ‘POST’, headers: { ‘Content-Type’: ‘application/x-www-form-urlencoded’ }, body: new URLSearchParams({ ‘grant_type’: ‘client_credentials’, ‘client_id’: process.env.CXONE_CLIENT_ID, ‘client_secret’: process.env.CXONE_CLIENT_SECRET }) }); const tokenData = await tokenResp.json(); const accessToken = tokenData.access_token; I’m storing this accessToken in a global variable within the provider instance but I see intermittent 401 Unauthorized errors when the provider is idle for a bit during a large stack update. The error payload looks like { “status”: 401, “code”: “unauthorized”, “message”: “Invalid token” }. I know I could use the expiresIn field from the token response to cache the token, but Pulumi providers are long-lived processes and I want to avoid complex timer logic inside the resource CRUD methods. Is there a recommended pattern for implementing a simple token cache with expiration check in a Node.js based Pulumi provider? I’ve seen examples for Genesys Cloud using their SDK but CXone doesn’t have an official SDK that handles this gracefully in TypeScript. I just need a robust way to ensure I have a valid token before every API call without bloating the provider code too much. Any snippets or patterns you use for this in your IaC tools would be appreciated. I’m trying to keep the provider lightweight and avoid pulling in heavy HTTP client libraries if possible.