Gitpulse
Merged
Size
M
Change Breakdown
Bug Fix75%
Refactor20%
Maintenance5%
#28340fix(core): Refresh the ai assistant token if it's about to expire (no-changelog)

Proxy tokens refreshed before expiration

CA
Cadiac
·Apr 13, 2026

AI assistant tokens are now refreshed automatically before they expire, preventing 401 errors during long-running agent turns or human-in-the-loop pauses.

The AI assistant was fetching a new proxy token on every request, but those tokens carry a 10-minute window. During a single orchestration turn — particularly when a human-in-the-loop pause stretches on — the token could expire before the response arrived, leaving the agent stuck with an "Unauthorized" error.

A new ProxyTokenManager class now caches the JWT and refreshes it proactively. Rather than relying on server-side metadata, the manager decodes the token's exp claim directly, calculating when to refresh at 80% of the token's lifetime. This means the system automatically adapts if the server changes its token duration.

One token manager instance is shared across the Anthropic model, Brave Search proxy, and LangSmith tracing — reducing redundant fetches while ensuring every outbound request gets a valid credential.

The change touches the createExecutionEnvironment flow in the CLI package, refactoring how proxy authentication is wired so that each component receives a lazy getter instead of a static header object.

View Original GitHub Description

Summary

We were requesting a new token from AI assistant each turn, but as a single turn can take a while and as the tokens only have 10min TTL at production they could expire, leading into "Unauthorized" errors seen on the agent.

Daytona proxy always gets a new token already with a lazy get function for the token, and I implemented something similar here, but as I didn't want every interaction with the proxy endpoints (for instance the anthropic one gets called a lot) to result in a new token call I made us reuse the same token during the turn until its expiration time is near.

This complicates things a bit but should make it so that the token no longer expires during a long response turn / if user leaves the agent waiting on a HITL suspension for a while.

Related Linear tickets, Github issues, and Community forum posts

https://www.notion.so/n8n/aef5b6e0c94f82159cc58164aa417607?v=7965b6e0c94f823c918f88516500cb86&p=33e5b6e0c94f8080ae24ff196877207f&pm=s

<!-- Include links to **Linear ticket** or Github issue or Community forum post. Important in order to close *automatically* and provide context to reviewers. https://linear.app/n8n/issue/[TICKET-ID] --> <!-- Use "closes #<issue-number>", "fixes #<issue-number>", or "resolves #<issue-number>" to automatically close issues when the PR is merged. -->

Review / Merge checklist

  • I have seen this code, I have run this code, and I take responsibility for this code.
  • PR title and summary are descriptive. (conventions) <!-- **Remember, the title automatically goes into the changelog. Use `(no-changelog)` otherwise.** -->
  • Docs updated or follow-up ticket created.
  • Tests included. <!-- A bug is not considered fixed, unless a test is added to prevent it from happening again. A feature is not complete without tests. -->
  • PR Labeled with Backport to Beta, Backport to Stable, or Backport to v1 (if the PR is an urgent fix that needs to be backported)
© 2026 · via Gitpulse