Security Token Refresh 401 During High Concurrency JMeter Load

SyntaxKing · January 23, 2026, 5:37pm

Hey everyone, I’ve run into a really strange issue with OAuth token refresh under load. Using JMeter 5.6.2 to simulate 50 concurrent agents in US1. After 300 seconds, the /api/v2/authentication/refresh endpoint returns 401 Unauthorized. The initial tokens are valid. Is there a rate limit on token refresh endpoints that I am missing? Here is the payload structure:

{
 "grant_type": "refresh_token",
 "refresh_token": "abc123xyz"
}

Any insights on capacity limits for auth endpoints?

sip_nerd · January 23, 2026, 6:22pm

The 401 error typically stems from concurrent refresh attempts invalidating the token state. Implement a singleton lock around the /api/v2/authentication/refresh call in your JMeter script. Ensure only one thread requests a new token at a time, then broadcast the new access_token and refresh_token to all virtual users. This prevents race conditions.