OAuth token race condition causes session logouts when running multiple concurrent sessions
Summary
Running multiple concurrent Claude Code sessions on a single Max subscription account causes frequent, unexpected logouts. This affects users who work across multiple projects simultaneously.
Root Cause (inferred)
Claude Code stores OAuth credentials in the macOS keychain with a single shared refresh token. When multiple sessions simultaneously attempt a token refresh, there is no coordination mechanism between processes. One session successfully writes the new refresh token; the others send the now-invalidated old token. The server interprets this as a token replay attack and revokes the session, forcing a manual re-login.
Steps to Reproduce
- Open several terminal tabs, each running an active Claude Code session in different project directories
- Let them sit idle for a period (token refresh window)
- Resume activity across sessions simultaneously
- One or more sessions are logged out with no warning
Expected Behavior
Multiple concurrent sessions on the same account should coordinate token refreshes — e.g. via a file lock, a single token-refresh daemon, or a shared credential store — so that only one refresh happens at a time and all sessions receive the updated token.
Actual Behavior
Sessions race to refresh. Losers get their tokens permanently revoked. User must manually re-login to restore, interrupting active work.
Impact
- Users working across multiple simultaneous projects are disproportionately affected
- No clean workaround exists within Max subscription (API key bypasses OAuth but adds per-token cost)
- Manual session staggering is not a viable UX for professional workflows
Suggested Fix
- Add
flock-style locking around keychain writes during token refresh - Or: run a single credential daemon that all Claude Code processes route token refreshes through
- Or: expose a config option that lets users supply tokens from an external process they control
Environment
- macOS
- Claude Code (latest)
- Auth method: OAuth / Max subscription
- Multiple concurrent sessions across different project directories
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗