Session auto refresh, but I don't know what's causing it
Note: I can't fit all of the details of this issue into a single discord post, so I've put the full details in this google doc: https://docs.google.com/document/d/15voOa7ru8GIebVgS8AOVR_vC8q0DS8tzl9MIv6-H-RU/edit?usp=sharing
And written this synopsis:
I’m building a Flask webapp using Supabase for authentication. My custom session logic handles:
Logging out users inactive for >30 minutes.
Refreshing tokens if authenticated >60 minutes.
Generating new sessions when none exist.
The JWT expiry time is 70 minutes, and debug print statements are used to monitor session-related actions.
Problem
If a page remains open for 70+ minutes without interaction, four identical requests are made to refresh the token:
POST https://###.supabase.co/auth/v1/token?grant_type=refresh_token
This behavior:
Conflicts with my custom refresher by using the same tokens.
Creates "immortal" sessions, refreshing even after tabs close.
Lacks control and is wasteful on limited resources (e.g., 4 redundant requests).
This “auto-refresh” appears tied to the JWT expiry but is not triggered by my session-handling code (no debug logs appear).
Questions
Does the Supabase Python library auto-refresh tokens? If so, how can I disable it?
Could set_session or refresh_session() be causing this?
Any ideas on what might be triggering these requests?
Let me know if more details are needed.
And written this synopsis:
I’m building a Flask webapp using Supabase for authentication. My custom session logic handles:
Logging out users inactive for >30 minutes.
Refreshing tokens if authenticated >60 minutes.
Generating new sessions when none exist.
The JWT expiry time is 70 minutes, and debug print statements are used to monitor session-related actions.
Problem
If a page remains open for 70+ minutes without interaction, four identical requests are made to refresh the token:
POST https://###.supabase.co/auth/v1/token?grant_type=refresh_token
This behavior:
Conflicts with my custom refresher by using the same tokens.
Creates "immortal" sessions, refreshing even after tabs close.
Lacks control and is wasteful on limited resources (e.g., 4 redundant requests).
This “auto-refresh” appears tied to the JWT expiry but is not triggered by my session-handling code (no debug logs appear).
Questions
Does the Supabase Python library auto-refresh tokens? If so, how can I disable it?
Could set_session or refresh_session() be causing this?
Any ideas on what might be triggering these requests?
Let me know if more details are needed.
Google Docs
Note: Sorry this is so long, but I’ve been wrestling with this issue all day, and this is the most concise way I can put it. I’m building a webapp with python flask and have been using the supabase and it’s python library for a database and authentication. Currently I have this system in place U...
