We are building a custom agent desktop wrapper in C# using the Genesys Cloud .NET SDK. The app handles long-running sessions for agents, so we implemented automatic token refresh logic to keep the connection alive. The refresh flow itself seems to be working correctly. We catch the 401 response from a failed API call, trigger the refresh using the stored refresh token, and receive a new access token and refresh token from the /api/v2/oauth/token endpoint. The response looks valid, with a fresh expiration time.
However, the very next API call we make with the new token fails with a 401 Unauthorized error. This is happening consistently. I have checked the token expiration times in the response, and they look fine. The issue seems to be related to clock skew between our application server and the Genesys Cloud authentication service.
Here is the relevant code snippet where we handle the refresh and retry:
public async Task<string> GetAccessTokenAsync()
{
var config = new ApiClientConfiguration(organizationId, clientId, clientSecret);
var oauthApi = new OAuthApi(config);
// This is called when a previous request failed with 401
var response = await oauthApi.PostOauthTokenAsync(new PostOauthTokenRequest
{
GrantType = "refresh_token",
RefreshToken = _refreshToken
});
if (response.IsError)
{
throw new Exception("Token refresh failed");
}
_accessToken = response.Body.AccessToken;
_refreshToken = response.Body.RefreshToken;
_expiresAt = DateTime.UtcNow.AddSeconds(response.Body.ExpiresIn);
return _accessToken;
}
After this method completes, we retry the original request. The server time on our IIS box is synced via NTP, but there might be a slight drift. Is there a way to specify a clock skew tolerance in the .NET SDK configuration? Or should we be adjusting the token expiration time manually before storing it? The docs mention clock skew as a potential cause for 401 errors after refresh, but I don’t see a specific setting to handle it in the ApiClientConfiguration class. Any ideas on how to debug this further?