[Error [AuthApiError]: Invalid Refresh Token:

What are you trying to do? (please be as specific as possible and include relevant screenshots, code snippets, and reproduction steps)

Hi Team Plasmic!

We are getting an error on one of our servers. I think the error might (maybe be coming from our Plasmic studio project). The issue is that we are continuously requesting a token refresh from Supabase so much so that we’ve hit an API request limit.

We aren’t getting the same issue on our dev branch which is linked to a Plasmic project. We only get this issue on staging so my hypothesis is that the request might be coming from something on our Plasmic project.

Please not that our Plasmic auth is linked to our supabase auth.

Here is the error on our server.

2025-03-20T10:49:20.916511892Z [Error [AuthApiError]: Invalid Refresh Token: Refresh Token Not Found] {
2025-03-20T10:49:20.916545852Z   __isAuthError: true,
2025-03-20T10:49:20.916549492Z   status: 400,
2025-03-20T10:49:20.916552052Z   code: 'refresh_token_not_found'
2025-03-20T10:49:20.916554692Z }

and from Supabase

Any hints as to how to debug this would be highly appreciated.

Relevant links:

I switched branches of our plasmic project to dev and the issue went away. I then switch back to staging and so far there aren’t any more api requests.

Not sure why yet. I’ll keep an eye on things.

Hi, this shouldn’t be related to our integrations, we won’t perform requests to /token for your supabase, so I would recommend you to review your own code.

You are right!

@aihe_team we are facing the exact same issue! On a Next.js project though. After a while it seems the API is overloaded with requests to fetch the refresh token. Have you found a solution? I would appreciate very much if you could answer! Thanks

Oh about this. Sorry for the delay. I’m guessing this is on Supabase as well?

So, we were calling the supabase api endpoint several times.

To debug, I would suggest checking to see where you are calling: “api/plasmic-auth”. Our issue was that we were making multiple calls to api/plasmic-auth.

Let me know the details

Hi @aihe_team thanks for your reply.

We are not using Plasmic, just I found this thread by googling the issue.

Our stack is Nextjs and Supabase, both self-hosted on a VPN.

The issue seems that after a period of time Supabase gets flooded with requests to the auth endpoint, and the logs show lots of messages like this:

{
  "component": "api",
  "duration": 683846,
  "error_code": "refresh_token_not_found",
  "grant_type": "refresh_token",
  "level": "info",
  "method": "POST",
  "msg": "request completed",
  "path": "/token",
  "referer": "https://app.[URL to Nextjs - REDACTED]",
  "remote_addr": "[VPS IP - REDACTED]",
  "request_id": "d41014a5-9bc7-48b9-8fb0-ee335b0e6948",
  "status": 400,
  "time": "2025-06-24T19:28:37Z"
}

The requests seem to be coming from Nextjs and must be somehow related to refresh tokens turning invalid, since it always happens only after a period of time (about 2 weeks)…

Okay, then I’m afraid won’t be able to help much since our issue was related to our plasmic auth calls. My suggestion is hunting down all that make calls to your supabase endpoint.