[BUG] VS Code Extension: Expired OAuth token reused across windows without refresh - breaks multi-project workflow

Resolved 💬 2 comments Opened Feb 2, 2026 by lgra Closed Mar 3, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

The VS Code extension reuses expired OAuth tokens when opening Claude Code in a new VS Code window, causing authentication failures that break the standard VS Code multi-project workflow.

When an OAuth token expires (after ~4 days) and I open Claude Code in a new VS Code window with a different project, the extension:

  1. ✅ Correctly retrieves the token from shared storage (macOS Keychain)
  2. ❌ Does NOT check if the token is expired before using it
  3. ❌ Sends the expired token to the API
  4. ❌ Shows a raw error message instead of handling refresh gracefully

This proves that windows DO share authentication state, but the token refresh logic is missing.

Why This is Critical:

  • VS Code is designed for multi-window workflows (1 project = 1 window)
  • Every new project window after token expiration requires manual re-auth via /logout
  • Breaks daily development workflow for users working on multiple projects
  • The API correctly detects expiration and suggests refresh, but the client doesn't implement it

What Should Happen?

When opening Claude Code in a new VS Code window after token expiration, the extension should:

Option A (Optimal): Automatically refresh the expired token

  • Check token expiration locally (JWT exp claim) before API calls
  • Use refresh token to get new access token transparently
  • No user intervention required

Option B (Minimum): Handle 401 responses gracefully

  • Intercept 401 "token expired" errors
  • Automatically refresh token and retry the request
  • Seamless experience for the user

Option C (Acceptable): Show clear re-authentication prompt

  • Display user-friendly notification: "Your session has expired"
  • Provide one-click re-authentication button
  • Better than raw error message

Expected result: Users can work across multiple VS Code windows/projects seamlessly without manual token management.

Error Messages/Logs

API Error: 401 {"type":"error","error":{"type":"authentication_error","message":"OAuth token has expired. Please obtain a new token or refresh your existing token."},"request_id":"req_011CXjkQrRzzLTZavu5JV3bn"} · Please run *login

Steps to Reproduce

  1. Open VS Code window 1 with project A
  2. Authenticate with Claude Code via OAuth → token stored in macOS Keychain
  3. Use Claude Code normally (everything works fine)
  4. Wait 4+ days for token to expire (or manually expire the token in Keychain for faster testing)
  5. Open a NEW VS Code window with project B (different project folder)
  6. Open Claude Code in the new window (Cmd+Shift+Esc or via sidebar)
  7. Try to use Claude Code

Observed: Authentication fails with 401 error "OAuth token has expired"

Expected: Token refreshes automatically or clear re-auth prompt appears

Frequency: 100% reproducible after token expiration when opening new VS Code windows

Current workaround: Run /logout then re-authenticate manually in each new window (very disruptive)

Claude Model

Sonnet (default)

Is this a regression?

I don't know

Last Working Version

Unknown - requires investigation into when cross-window token sharing was implemented

Claude Code Version

VS Code Extension (latest as of 2026-02-02)

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

VS Code integrated terminal

Additional Information

Related Issues:

  • #12447 - General OAuth token refresh handling (this adds the VS Code multi-window angle)
  • #8385 - Authentication not persisting across chats (similar symptom)
  • #15007 - /login not recovering sessions (related recovery issue)

Technical Details:

  • Request ID: req_011CXjkQrRzzLTZavu5JV3bn
  • Error Type: authentication_error
  • HTTP Status: 401 Unauthorized
  • Token Storage: macOS Keychain (shared across VS Code instances)
  • Token Lifespan: ~4 days before expiration

Root Cause:
The extension shares tokens across windows (proven by window 2 attempting to use window 1's token) but lacks token lifecycle management. The backend correctly reports expiration and suggests refresh, but the client doesn't implement the refresh mechanism.

Impact:

  • Severity: High
  • Affects all VS Code users with multi-project workflows
  • Workaround exists (/logout + re-auth) but is extremely disruptive

Proposed Implementation:
Standard OAuth refresh token pattern - check JWT exp claim before requests, or intercept 401 responses and refresh automatically. This is standard practice in OAuth implementations.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗