Sliding window refresh logic drifts on the WEM adherence poller, causing 401s right before TTL expiry. JWT scope passes local checks but API returns 401 Unauthorized.
def refresh_token():
if cache.get('token') and time.time() < expiry - SLIDING_BUFFER:
return cache['token']
resp = requests.post(TOKEN_ENDPOINT, data=REFRESH_PAYLOAD)
if resp.status_code == 401:
log_anomaly("INTROSPECTION_MISMATCH")
return None
In-memory TTL store handles caching while CLIENT_SECRET comes from ENV_VARS. TOKEN_PROVIDER shares the session across SDKs. Sliding window math breaks after 4 hours. Token doesn’t renew. Cache drops the token early.