if a user has been idle for some period of time and then attempts to query your resource, and their session has expired, the resource returns a 401 or 403 error code. Instead of returning an error, Retool can perform a refresh auth workflow that you define. If the refresh auth workflow is successful, Retool attempts to run the failed query again. Because the user now has a valid authentication session, the second attempt to run the query will succeed and the user can continue using the app without interruption.
does that means if we select "Refresh Auth trigger " as "none", then on every 401 or 403 returned error code, retool will try to refresh token?
because I have selected "time based expiration" (value is 3600 sec), however it seems auth token is not getting refreshed.
or does "time based expiration" trigger means it will refresh after 3600 seconds post any API returns 401 or 403 error code?
@Arvind,
Yes, if you set it to "none", then on every 401 or 403, it should run the refresh workflow. If you set a time, it'll run the refresh workflow each time that time span has passed, regardless of status codes. Are you saying that after one hour (3600 seconds), your token is not being refreshed?
Yes. its not refreshed.
By the way, How can we confirm on app that token is refreshed.
JFYI, even after setting it to "none", token is not refreshing and we are getting error notification.
@Arvind ,
Also, sorry I was wrong...you will not be able to see your token or api call in your network tab. Really I think the only way to confirm is that your api does not return a 401 unauthorized error.
@lindakwoo when hitting "Test auth workflow" or "Test refresh auth workflow" buttons immediately , it works and I am getting token.
But when I am hitting "Test refresh auth workflow" button after sometime like hour or plus.
I am getting "Refresh auth workflow failed: Authentication failure. Missing access token" error.
@Arvind,
This is strange behavior. Are you saying that your "Test refresh auth workflow" button stops working after an hour? Is it just the second attempt that doesn't work? What if you test it and then test it again immediately? Does it work the second time?
@lindakwoo
After a period of inactivity, if the application is idle or the user is logged off from the system, or is actively working in another application (outside the browser where the Retool app is open), the "Test refresh auth workflow" button consistently returns the following error: "Refresh auth workflow failed: Authentication failure. Missing access token."
However, when the user remains active in the same browser and the Retool app is not idle, the "Test refresh auth workflow" button works as expected and successfully returns a token each time.
@Arvind,
This Refresh auth workflow failed: Authentication failure. Missing access token error has to do with your Retool session and not actually the resource refresh access token. Have you set your user session duration in the SSO config to be an hour? If so, the user would have to log back in.
However jst heads up .. We have observed that the access token is actually missing when query is failing with code 401 with response as " Authentication failure. Missing access token"
@Arvind,
I'm pretty sure this error has to do with the access token related to your Retool Session and not the specific query. The accessToken in your cookies is the one from your SSO provider.
@lindakwoo not yet but we are working with retool space manager and admin.
However as a backup plan, how can we check on retool UI that SSO token is expired or about to expire and notify/alert user.
@Arvind,
You can check the access token expiration on the current_user object: current_user.metadata.accessToken.exp. This is a unix timestamp, so you can convert it to a date and time to find out when it expires.
@lindakwoo We've implemented improved error handling for all scenarios, including token-related issues, based on API query responses.
However, we're facing a challenge with handling token expiry on the Retool UI. Despite the following logic correctly identifying that the token has expired:
function checkExpiry() {
const expirationTimestamp = current_user.metadata.accessToken.exp;
const expirationDate = new Date(expirationTimestamp * 1000);
return expirationDate < new Date();
}
The function consistently returns true (indicating the token is expired), yet the API queries continue to execute successfully without triggering any authentication failure.
This inconsistency is preventing us from reliably detecting and handling token expiry on the frontend.
Also, is there a way to intentionally invalidate or simulate the expiration of an SSO session in Retoolβwithout fully logging outβfor testing purposes in development mode? We're looking to mimic token expiry-related errors on the UI without ending the actual session.
this transformer we are checking on javascript function failure, if javascript function fails and this transformer returning true that means Token Expired . However this transformers state on deployed environment always false refer below screenshot.
However if you check the Unix timestamp for SSO expiry time it gives 28 May 2025, yesterdays time and on debugging it properly returns true(refer below Screenshot), as expected. then why transformer ssoTokenExpiryCheck state still shows false?
