oauth/io.github.kikin81.atproto.oauth/DpopAuthProvider/onUnauthorized

onUnauthorized

open suspend override fun onUnauthorized(responseHeaders: Map<String, String>): Boolean

Called by XrpcClient on HTTP 401. Recovers every recoverable cause in one call so the single retry that XrpcClient performs always carries fresh state. Control flow:

  1. If the server rotated DPoP-Nonce, store and persist it eagerly. Persisting before any refresh attempt means a refresh that throws (e.g. transient network failure) won't lose the rotated nonce.

  2. If the bound access token is a JWT whose exp is past (or within a small skew window) — i.e. the next request would 401 with invalid_token regardless of nonce — refresh proactively.

  3. If only the nonce was recoverable (opaque/non-expired token, new nonce already persisted in step 1), return true.

  4. Otherwise (no nonce signal: same nonce, no nonce header) refresh.

Generated by Dokka
© 2026 Copyright