API token expiry causes automation failures in manufacturing collaboration (tc-12.4)

Our automated manufacturing collaboration scripts are experiencing intermittent failures due to API token expiration in Teamcenter 12.4. We have several Python scripts that sync manufacturing process data between Teamcenter and our shop floor systems every 15 minutes.

The scripts authenticate once at startup and reuse the token for subsequent API calls. This works fine for the first few hours, but after about 4 hours, we start getting 401 Unauthorized errors. The token expiry is set to 8 hours in our configuration, so theoretically the scripts should work for a full business day.

The error pattern is inconsistent - sometimes it fails after 3 hours, sometimes after 6 hours. When we add token refresh logic that requests a new token every hour, it works but feels inefficient. We’re seeing this across multiple automation scripts:

requests.post(api_url, headers={'Authorization': f'Bearer {token}'})
# Returns: 401 Unauthorized after ~4 hours

Is there a recommended pattern for handling API token refresh logic in long-running automation scripts? Should we implement proactive token refresh or reactive error handling when 401 occurs?

Here’s a comprehensive solution addressing all three critical aspects of API token management for your manufacturing collaboration automation:

1. API Token Refresh Logic Implementation:

The most robust approach combines proactive refresh with reactive error handling. Implement this pattern in your automation scripts:

// Pseudocode - Token management class:
1. Store token with metadata: {access_token, expires_at, refresh_threshold}
2. Before each API call: check if current_time >= (expires_at - refresh_threshold)
3. If refresh needed: call token_refresh_endpoint() and update stored token
4. If API call returns 401: force immediate token refresh and retry once
5. Log all token refresh events for monitoring
// Refresh threshold = 20% of token lifetime (e.g., 96 minutes for 8-hour tokens)

Key implementation details:

• Parse the token expiry from the authentication response (usually in JWT payload or response headers)
• Set refresh threshold to 20% of token lifetime - for 8-hour tokens, refresh at 6.4 hours
• Implement exponential backoff for refresh failures
• Never refresh more than once per minute to avoid server overload

2. 401 Error Handling Strategy:

Implement a comprehensive error handling wrapper for all API calls:

// Pseudocode - API call wrapper with retry logic:
1. Attempt API call with current token
2. If response == 401:
   a. Check if token refresh already attempted in last 60 seconds
   b. If not, refresh token and retry original request once
   c. If retry also fails with 401, raise authentication error
3. If response == 429 (rate limit): implement exponential backoff
4. If response == 5xx: retry with exponential backoff (max 3 attempts)
5. Log all errors with request context for debugging

Critical considerations for 401 handling:

• Only retry once after token refresh to avoid infinite loops
• Distinguish between token expiry (refresh and retry) and invalid credentials (fail immediately)
• Implement circuit breaker pattern if multiple consecutive 401s occur (indicates systemic auth issue)
• Track 401 error rate - if >5% of requests fail, alert administrators

3. Automation Script Token Update Pattern:

For manufacturing collaboration scripts running 24/7, implement this architecture:

Token Manager Class: Create a singleton token manager that all scripts share:

• Stores token in secure location (encrypted file or secret manager)
• Provides thread-safe access to current token
• Handles refresh logic centrally
• Supports multiple concurrent script instances

Configuration Updates: Adjust Teamcenter token settings for automation workloads:

• Create dedicated service account for manufacturing automation
• Configure longer token lifetime for service accounts: 12-24 hours
• Enable refresh token support (if available in TC 12.4)
• Set up token usage monitoring alerts

Proactive Refresh Implementation:

// Pseudocode - Background token refresh thread:
1. Start background thread that runs every 5 minutes
2. Check if token expires within next 2 hours
3. If yes, proactively refresh token before expiry
4. Update shared token storage atomically
5. Continue monitoring and refresh as needed
// This ensures token never expires during critical manufacturing operations

Complete Solution Architecture:

Phase 1 - Immediate Fix:

1. Implement reactive 401 handling in existing scripts
2. Add token expiry checking before API calls
3. Set refresh threshold to 80% of token lifetime
4. Deploy and monitor for 48 hours

Phase 2 - Robust Implementation:

1. Create centralized TokenManager class
2. Implement background refresh thread
3. Add token persistence (encrypted storage)
4. Migrate all scripts to use TokenManager

Phase 3 - Advanced Features:

1. Implement token pooling for high-concurrency scenarios
2. Add health check endpoint that validates token status
3. Set up monitoring dashboard for token refresh metrics
4. Configure alerts for authentication anomalies

Server-Side Configuration:

Work with Teamcenter administrators to optimize token settings:

1. Verify actual token lifetime policy:

   • Check global security settings
   • Verify manufacturing collaboration module settings
   • Ensure no conflicting policies override your 8-hour configuration

2. Create service account with optimal settings:

   • Token lifetime: 24 hours
   • Enable refresh token support
   • Disable session timeout for service accounts
   • Grant minimum necessary permissions for manufacturing operations

3. Configure token validation mode:

   • Use time-based validation only (not session-based)
   • Disable IP address binding for tokens (scripts may run from different servers)
   • Enable token reuse across multiple script instances

Testing and Validation:

Before deploying to production:

1. Test token refresh at various intervals (1 hour, 4 hours, 8 hours, 24 hours)
2. Simulate network failures during token refresh
3. Test concurrent token usage by multiple script instances
4. Verify proper handling when token refresh fails
5. Measure performance impact of token refresh operations

Monitoring and Alerting:

Set up monitoring for:

• Token refresh success rate (should be >99.9%)
• Average time between token refreshes
• 401 error rate (should be <0.1% after implementation)
• Token refresh latency (should be <500ms)

Alert conditions:

• Multiple consecutive token refresh failures
• 401 error rate exceeds 1%
• Token refresh latency exceeds 2 seconds
• Service account credentials approaching expiry

This comprehensive approach ensures your manufacturing collaboration automation runs reliably 24/7 without authentication interruptions, while maintaining security best practices and efficient resource usage.

The 401 errors you’re seeing might not be due to token expiry alone. Check if your Teamcenter server has session-based token validation in addition to time-based expiry. Some configurations validate tokens against active server sessions, and if those sessions timeout before the token expiry time, you’ll get 401 errors even with a valid token. Review your server session timeout settings.

For manufacturing automation, I’d recommend using service accounts with longer token lifetimes rather than user accounts. Service accounts can be configured with different token policies specifically for automation scenarios. Also, implement proper token storage - don’t just keep it in memory. Store it securely and check its validity before use. This way if your script restarts, it can resume with the existing valid token.

Consider using OAuth refresh tokens instead of bearer tokens if your Teamcenter version supports it. Refresh tokens are designed for exactly this use case - long-running processes that need to maintain authentication. You get a short-lived access token and a long-lived refresh token, and you can request new access tokens without re-authenticating. Much cleaner than trying to manage bearer token expiry manually.

Have you checked if there’s a maximum token lifetime policy on the Teamcenter server side that overrides your 8-hour configuration? Sometimes there are global security policies that limit token validity regardless of what individual applications request. Also, verify if your manufacturing collaboration module has its own token configuration that differs from the general REST API settings.