OAuth token race condition causes session logouts when running multiple concurrent sessions

Resolved 💬 3 comments Opened Mar 31, 2026 by AltonSun Closed Mar 31, 2026

Summary

Running multiple concurrent Claude Code sessions on a single Max subscription account causes frequent, unexpected logouts. This affects users who work across multiple projects simultaneously.

Root Cause (inferred)

Claude Code stores OAuth credentials in the macOS keychain with a single shared refresh token. When multiple sessions simultaneously attempt a token refresh, there is no coordination mechanism between processes. One session successfully writes the new refresh token; the others send the now-invalidated old token. The server interprets this as a token replay attack and revokes the session, forcing a manual re-login.

Steps to Reproduce

  1. Open several terminal tabs, each running an active Claude Code session in different project directories
  2. Let them sit idle for a period (token refresh window)
  3. Resume activity across sessions simultaneously
  4. One or more sessions are logged out with no warning

Expected Behavior

Multiple concurrent sessions on the same account should coordinate token refreshes — e.g. via a file lock, a single token-refresh daemon, or a shared credential store — so that only one refresh happens at a time and all sessions receive the updated token.

Actual Behavior

Sessions race to refresh. Losers get their tokens permanently revoked. User must manually re-login to restore, interrupting active work.

Impact

  • Users working across multiple simultaneous projects are disproportionately affected
  • No clean workaround exists within Max subscription (API key bypasses OAuth but adds per-token cost)
  • Manual session staggering is not a viable UX for professional workflows

Suggested Fix

  • Add flock-style locking around keychain writes during token refresh
  • Or: run a single credential daemon that all Claude Code processes route token refreshes through
  • Or: expose a config option that lets users supply tokens from an external process they control

Environment

  • macOS
  • Claude Code (latest)
  • Auth method: OAuth / Max subscription
  • Multiple concurrent sessions across different project directories

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗