[BUG] apiKeyHelper: 403 from expired token not retried — first prompt after idle always fails
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
When using apiKeyHelper with a token provider that issues short-lived tokens (e.g., Databricks OAuth, 1-hour lifetime), the first prompt after the token expires always fails with "API Error: 403 Invalid Token". The second prompt immediately after succeeds.
This happens because when the cached token is stale, Claude Code returns the stale (expired) token to the API immediately and refreshes in the background (stale-while-revalidate). On a 403, no cache clearing or retry occurs — the error is shown to the user and the fresh token from the background refresh is only used on the next prompt.
This is the same class of issue that was fixed for AWS Bedrock (where 403s clear the AWS credential cache and retry), but the fix doesn't extend to generic apiKeyHelper users.
What Should Happen?
A 403 when apiKeyHelper is the auth source should clear the apiKeyHelper cache and retry the request (blocking until the helper returns a fresh token), matching the Bedrock-specific 403 handling.
Error Messages/Logs
Please run /login · API Error: 403 Invalid Token
Steps to Reproduce
- Configure
apiKeyHelperin settings to use a command that returns short-lived tokens (e.g.,databricks auth tokenwhich returns 1-hour OAuth tokens) - Start a Claude Code session and send a prompt (works fine)
- Wait for the token to expire (1 hour for Databricks OAuth)
- Send another prompt — fails with 403
- Send another prompt — succeeds (background refresh from step 4 cached a fresh token)
Claude Model
Opus
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.1.92
Platform
Other
Operating System
macOS
Terminal/Shell
Other
Additional Information
Using Claude Opus 4.6 via Databricks AI Gateway as the LLM endpoint.
Related issues: #5737 (same problem with AWS STS tokens on Bedrock — that case was fixed with a Bedrock-specific 403 handler, but the fix doesn't cover generic apiKeyHelper).
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗