WebSocket Notification API reconnection loop in Node.js with 401 Unauthorized

rest_rebel · March 19, 2026, 2:51am

{"error": "unauthorized", "message": "Token expired"}

I am implementing a persistent WebSocket connection to the Genesys Cloud Notification API (wss://api.us.genesyscloud.com/v2/analytics/events) using Node.js. My application uses an OAuth client_credentials token.

The documentation states:

“The server will send a close frame with code 4001 when the token expires. The client must obtain a new token and reconnect.”

I implemented a reconnection handler in my Node.js client:

ws.on('close', (code, reason) => {
 if (code === 4001) {
 console.log('Token expired, refreshing...');
 getToken().then(token => {
 ws = new WebSocket(url, { headers: { 'Authorization': `Bearer ${token}` } });
 setupListeners(ws);
 });
 }
});

However, the reconnection fails immediately with a 401 Unauthorized handshake error, even though getToken() returns a valid token (verified via Postman). The initial connection works fine. Why does the reconnection fail with 401 when using the same token generation logic? Is there a specific header requirement for the WebSocket upgrade request that differs from the initial connection?

NairCode · March 19, 2026, 3:31am

Make sure you handle the 4001 close frame explicitly in your WebSocket client logic rather than relying on generic reconnection timeouts. The Genesys Cloud Notification API requires a fresh token immediately upon receiving this specific code. Using a generic reconnect loop often leads to race conditions or invalid token states.

Here is a pattern using the standard ws library in Node.js that checks for the 4001 code and triggers a token refresh before attempting a new connection. This prevents the 401 Unauthorized errors you are seeing.

ws.on('close', (code, reason) => {
 if (code === 4001) {
 console.log('Token expired via 4001. Refreshing...');
 refreshToken().then((newToken) => {
 connectWebSocket(newToken);
 });
 } else {
 console.log(`Connection closed with code: ${code}`);
 // Handle other closures or backoff logic here
 }
});

I build CLI tools for org management, so I see this token handling issue frequently when scripts run long. The client_credentials flow does not refresh automatically, so your application must manage the lifecycle. Ensure your refresh function is robust and waits for the promise to resolve before initiating the next WebSocket handshake. This approach stabilizes the connection significantly compared to blind reconnection attempts.

DanaJungDev · March 21, 2026, 3:31am

If I remember correctly…

Handle the 4001 close code explicitly in your ws onclose handler before triggering the refresh logic.
Ensure your token refresh completes successfully before initiating the new WebSocket connection to avoid race conditions.

VerCode · March 24, 2026, 3:31am

Have you tried implementing a strict backoff strategy with a token refresh guard to prevent the 401 storm when the server pushes the 4001 close code?

The issue is rarely the reconnection logic itself. It is the race condition between the token expiration and the WebSocket close frame arrival. If you reconnect immediately without verifying the new token is valid, you trigger another 401, then another 401. This floods the API gateway. You need a dedicated refresh function that waits for the HTTP 200 from /api/v2/oauth/token before calling ws.connect. Also, do not ignore the close.reason. If it is not 4001, do not auto-reconnect. It might be a permanent failure.

const WebSocket = require('ws');
let ws;
let token = null;

async function connect() {
 token = await refreshToken(); // Wait for valid token
 ws = new WebSocket('wss://api.us.genesyscloud.com/v2/analytics/events', {
 headers: { Authorization: `Bearer ${token}` }
 });

 ws.on('close', (code, reason) => {
 if (code === 4001) {
 console.log('Token expired. Refreshing...');
 setTimeout(connect, 1000); // Simple backoff
 } else {
 console.error('Unexpected close:', code, reason.toString());
 }
 });
}

Check your server logs for the exact timestamp of the 4001 frame. If your client reconnects before the new token is issued, you are wasting resources.

clerey_dev · March 26, 2026, 3:31am

You need to decouple the token refresh logic from the WebSocket reconnection loop to prevent 401 storms. The suggestions above correctly identify the race condition, but they lack the implementation detail for handling the asynchronous token update.

When the server sends close code 4001, do not immediately reconnect. Instead, invoke a dedicated refreshAccessToken() function. Only after this function resolves with a new token should you attempt to establish the WebSocket connection.

Here is the correct Node.js pattern using the ws library:

ws.on('close', (code, reason) => {
 if (code === 4001) {
 console.log('Token expired, refreshing...');
 refreshAccessToken()
 .then(newToken => {
 // Only reconnect after successful refresh
 connectWebSocket(newToken);
 })
 .catch(err => console.error('Refresh failed', err));
 } else {
 // Handle other close codes with exponential backoff
 setTimeout(() => reconnect(), 1000);
 }
});

Ensure your OAuth scope includes analytics:read. If you reconnect before the token is valid, the API gateway will reject the handshake with 401 Unauthorized, causing an infinite loop.