VS Code extension forces daily re-login due to refresh token rejection (400) when multiple windows are open

Resolved 💬 3 comments Opened May 24, 2026 by wdouglascampbell Closed Jun 25, 2026

Summary

The Claude Code VS Code extension (v2.1.145) prompts for re-authentication every day, even though OAuth tokens are persisted correctly in secure storage. Logs show the silent OAuth refresh call fails with HTTP 400, which then cascades into a 401 on /v1/messages and finally surfaces the login UI.

Environment

  • Claude Code VS Code extension v2.1.145 (anthropic.claude-code-2.1.145-win32-x64)
  • Windows 11 Pro (not domain-joined)
  • Pro subscription (claudeAiOauth)
  • No corporate proxy, no TLS interception, no group policy restricting credential storage (DisableDomainCreds = 0, no CredUI policies set)
  • Anthropic endpoints reachable with valid certs from a normal browser
  • Typical usage: multiple VS Code windows open simultaneously across different projects (log dirs confirm window1, window2, window3 on the same day)

Reproduction

  1. Use Claude Code extension across multiple VS Code windows during a normal workday
  2. Close VS Code at end of day (or let machine sleep overnight)
  3. Open VS Code the next morning — login screen appears in the Claude Code chat panel

Evidence from extension log

%APPDATA%\Code\logs\<session>\window1\exthost\Anthropic.claude-code\Claude VSCode.log:

2026-05-22 07:59:55.392 [info] AuthManager initialized
2026-05-22 07:59:55.392 [info] OAuth tokens found in secure storage
...
2026-05-22 08:00:09.783 [info] From claude: [ERROR] OAuth refresh failed (expected): Request failed with status code 400
...
2026-05-22 08:03:08.252 [ERROR] API error (attempt 1/11): 401 {"type":"error","error":{"type":"authentication_error","message":"Invalid authentication credentials"},"request_id":"[REDACTED]"}
2026-05-22 08:03:09.001 [ERROR] API error (attempt 2/11): 401 ...
...
2026-05-22 08:03:20.947 [info] Received message from webview: {"type":"login","method":"claudeai"}

The refresh-token POST is rejected by the Anthropic auth server with 400, and the extension's own log labels this (expected). It then proceeds to use the now-expired access token, gets the predictable 401, retries 11 times, and falls back to the login screen.

Suspected cause

Single-use rotating refresh tokens combined with concurrent clients. When multiple VS Code windows each instantiate the Claude Code extension, they all hold the same refresh token. The first one to refresh wins; the rest are silently invalidated server-side, surfacing the next day as a 400 on refresh.

Expected behavior

  • Refresh-token race between multiple extension instances should be coordinated (shared lock on the credentials file, or single-writer authority)
  • A 400 on refresh should produce a clearer error than (expected) and surface the actual server response so users can diagnose
  • Ideally the extension should re-attempt the refresh once on 401 rather than treating the cached token as authoritative

Workarounds I'm aware of

  • Only run a single VS Code window with Claude Code at a time
  • Don't run the standalone claude CLI alongside the extension

Neither is acceptable for normal multi-project developer workflow.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗