← All writing
January 6, 2025·5 min read

Silent JWT refresh without the thundering herd

One in-flight refresh, N queued retries

The 401 handler you copy-paste from Stack Overflow will fire N parallel refresh calls the moment your access token expires. Here's the fix.

The bug

Twelve requests fire concurrently. Access token expires. All twelve 401. Each interceptor calls /refresh. Now you have twelve refresh tokens in flight racing to invalidate each other, and one of them wins by luck.

The fix

Store the refresh promise on the client. If a request 401s and a refresh is in flight, await the existing promise instead of starting a new one. When it resolves, retry every queued request with the new token. One refresh, N retries.

AuthJWTAxios