Work order management API token expiry causing session timeouts in batch updates

john215 · December 20, 2024, 8:18am

We’re running FactoryTalk MES 12.0 and experiencing issues with our automated work order management integration. When running large batch work order updates via REST API (typically 500-1000 work orders), the process fails midway through with authentication errors. The API token appears to expire during the batch job execution, causing session timeouts.

Our current implementation gets a token at the start of the batch job:

String token = authClient.getAccessToken(username, password);
for (WorkOrder wo : workOrders) {
    apiClient.updateWorkOrder(wo.getId(), wo, token);
}

The batch job takes about 45-60 minutes to complete, but we’re seeing authentication failures starting around the 30-minute mark. The error indicates ‘Token expired - please re-authenticate’, which causes data inconsistency because some work orders update successfully while others fail. We’ve had to implement manual cleanup scripts to identify and retry failed updates, which is error-prone.

I need to understand the proper API token lifetime configuration and whether there’s built-in token refresh logic we should be using for long-running batch operations. How should we handle batch job error recovery when token expiry occurs mid-process?

neha_expert · May 19, 2025, 9:25am

I didn’t realize refresh tokens were available. Looking at our authentication response, I do see a refresh_token field that we’ve been ignoring. Should we be proactively refreshing the token at regular intervals (say, every 25 minutes), or is there a way to detect when a token is about to expire and refresh it just-in-time?

karenking · May 21, 2025, 4:50pm

Don’t forget to handle the refresh token expiry as well. Refresh tokens typically have a longer lifetime (hours or days), but they do expire. If your batch job runs longer than the refresh token lifetime, you’ll need to fall back to full re-authentication. Also, make sure your error handling distinguishes between expired access tokens (refresh and retry) versus expired refresh tokens (re-authenticate from scratch).

prooptimizer · May 20, 2025, 11:15am

For batch operations, I recommend a hybrid approach. Implement proactive refresh at 80% of the token lifetime (24 minutes if lifetime is 30 minutes) plus reactive error handling. If you get a 401 Unauthorized response, immediately attempt token refresh and retry the failed request. This way you minimize refresh operations while ensuring the batch job can recover from unexpected token expiry. Also, consider implementing exponential backoff on retries to avoid overwhelming the auth service if there are broader authentication issues.

dan_specialist · May 23, 2025, 8:30am

From an operational perspective, you should also consider whether 30-minute token lifetime is appropriate for your use case. While shorter lifetimes are more secure, they create complexity for long-running batch jobs. If your network is properly secured and you have audit logging in place, you might request an increase in token lifetime for service accounts used by batch processes. We run ours at 2 hours for automated integrations, which reduces token management overhead.

thomassql · May 18, 2025, 3:40pm

The default API token lifetime in FactoryTalk MES 12.0 is 30 minutes, which explains your 30-minute failure point. You need to implement token refresh logic in your batch job. The API supports refresh tokens - when you initially authenticate, you receive both an access token and a refresh token. Use the refresh token to get a new access token before the current one expires.

isabella_func · May 25, 2025, 2:20pm

Your batch processing implementation needs comprehensive token lifecycle management and robust error handling. Here’s how to address all three aspects:

API Token Lifetime Configuration: The default 30-minute token lifetime is configured in the FactoryTalk MES API Gateway settings. For service accounts running batch operations, you can extend this without compromising security. Access the API Gateway admin console (typically at https://your-mes-server:8443/api-admin) and navigate to Security > Token Policies. Create a dedicated token policy for your integration service account with these settings:

Access Token Lifetime: 7200 seconds (2 hours)
Refresh Token Lifetime: 28800 seconds (8 hours)
Enable Sliding Refresh (extends refresh token lifetime with each use)

This gives your batch jobs sufficient time to complete while maintaining reasonable security boundaries. Apply this policy specifically to your integration service account, not globally.

Token Refresh Logic Implementation: Modify your batch job to implement proactive token refresh with error recovery:

TokenManager tokenMgr = new TokenManager(authClient);
long tokenRefreshInterval = 6600000; // 110 minutes
long lastRefresh = System.currentTimeMillis();

for (WorkOrder wo : workOrders) {
    if (System.currentTimeMillis() - lastRefresh > tokenRefreshInterval) {
        tokenMgr.refreshAccessToken();
        lastRefresh = System.currentTimeMillis();
    }
    // Retry logic with token refresh on 401
}

Implement a TokenManager class that stores both access and refresh tokens, handles proactive refresh at 90% of token lifetime, and provides retry logic when API calls fail with 401 errors. The refresh endpoint is POST /api/auth/refresh with the refresh token in the request body.

Batch Job Error Handling for Mid-Process Failures: To prevent data inconsistency, implement transactional batch processing with checkpoint/restart capability:

Checkpoint Mechanism: After every 50 work orders, persist the current batch position to a database table or file. Include the work order ID of the last successfully processed item and the current token state.
Idempotent Updates: Ensure your work order update logic is idempotent - if a work order was already updated, the API call should succeed without creating duplicates or conflicts. Use conditional updates based on version numbers or timestamps.
Structured Error Recovery: When token expiry occurs mid-batch:
- Attempt token refresh using the refresh token
- If refresh succeeds, retry the current work order update
- If refresh fails (refresh token also expired), re-authenticate and resume from the last checkpoint
- Log all retry attempts with work order IDs for audit trail
Dead Letter Queue: Implement a failed work order queue. If a work order fails after 3 retry attempts (even with fresh tokens), move it to a separate queue for manual review. This prevents one problematic work order from blocking the entire batch.

Enhanced Implementation Pattern: Consider implementing a batch processor with these components:

Token manager with automatic refresh (monitors expiry time from JWT claims)
Checkpoint manager (persists progress every N records)
Retry handler with exponential backoff (handles transient failures)
Transaction coordinator (ensures atomic updates or rollback for related work orders)

Monitoring and Alerting: Add instrumentation to track:

Token refresh frequency and success rate
Batch job duration and throughput (work orders per minute)
Authentication failure rates and recovery success
Checkpoint frequency and restart events

Set up alerts if token refresh fails more than twice in a single batch job, or if batch processing time exceeds expected duration by 50%.

With these changes, your batch jobs will handle token expiry gracefully, maintain data consistency through checkpointing, and provide clear audit trails for troubleshooting.

Topic		Replies	Views
Inventory optimization API token expiry causes automated stock sync failures Infor SCM question , api-integration , automation , rest-api , java , inventory-opt , oauth2 , token-management , is-2023-1	6	0	March 23, 2025
API token expiry causes automation failures in manufacturing collaboration (tc-12.4) Teamcenter question , api-integration , security-auth , automation , rest-api , java , mfg-collab , tc-12-4 , token-expiry	5	20	October 14, 2025
Procurement automation fails due to short-lived API tokens expiring mid-batch Manhattan Active Supply Chain question , procurement , api , automation , rest-api , batch-processing , oauth2 , token-expiry , security-authen	7	0	April 18, 2025
Backlog management REST API sync fails after OAuth token exp Micro Focus ALM / Quality Center question , api-integration , rest-api , java , batch-processing , oauth2 , token-management , backlog-mgmt , mf-25-4	5	0	January 11, 2026
OAuth2 refresh token not working for SBOM batch uploads in tc-12.3 Teamcenter question , security-auth , rest-api , java , sbom-mgmt , tc-12-3 , oauth2 , token-expiry , refresh-token	2	0	April 16, 2025
API authentication tokens expiring prematurely during supplier data sync Arena QMS (by PTC) question , supplier-mgmt , oauth , rest-api , data-sync , batch-processing , security-authen , token-expiration , aqp-2023-1	4	0	March 31, 2025
Compliance integration fails due to expired API tokens during scheduled sync MasterControl Quality Excellence question , compliance , rest-api , authentication , data-loss , token-expiry , scheduled-jobs , api-sync , integration-frameworks	6	0	January 12, 2025
API token expiry causes access denied errors on secure endpoints despite auto-renewal logic PTC ThingWorx question , api-development , rest-api , authentication , token-expiry , job-scheduling , api-sdk , security-pol , twx-97	5	0	April 12, 2025
Automated tooling data import fails due to API token expiry in scheduled jobs ENOVIA question , security-auth , automation , rest-api , java , tooling-mgmt , env-r2022x , token-management , scheduled-jobs	3	2	January 21, 2025

Work order management API token expiry causing session timeouts in batch updates

Related topics