Problems with authentication on Supabase – 429 Too Many Requests
After updating our dependencies we suddenly started getting users being signed out, because apparently too many refresh_token requests are being sent.
Our Setup:
- Next.js 15.3
- @supabase/supabase-js 2.50.5
What I could see after adding lots of outputs to several files in the supabase-js library, is that the following happens:
- When user logs in first token is received: 60 seconds life time
- When token expires
auth/v1/token?grant_type=refresh_token is sent and comes back with a 200
- The session is saved to cookies (middleware.ts is in place as the documentation suggests, I've even set it to be exactly as in the docs for testing purposes)
- Session is loaded again to check if it expires soon, but it's not the session that has been stored
- Session expires and another token is requested -> Eventually running into the 429 Too Many Requests
Maybe this rings a bell for somebody, I'd be very grateful for any pointer.
Additional question: Why does the first token expire after just 60 seconds? Is this normal?3 Replies
On this page check the Access token expiry time https://supabase.com/dashboard/project/_/settings/jwt
Solution: 🤦♂️
Actual Solution: Set Access token expiry time to 1 hour. For some reason is was set to 60 seconds in the config. But the expiry margin – the rest time to live when the token is considered expired is 90s. Of course the token was instantly considered expired and refreshed over and over again. The documentation actually says so in the FAQ section: https://supabase.com/docs/guides/auth/sessions#frequently-asked-questions
So, really we are to blame, but I wonder, if maybe the config UI could show some red warning or something. Because using less than 91 seconds there will absolutely produce errors and they're really hard to debug.
You should leave this feedback on a GitHub issue on the supabase repo https://github.com/supabase/supabase