The JWT Refresh Race Condition Nobody Talks About (And How I Fixed It)

The Bug That Kept Logging Me Out I was building a PWA with a custom Node.js backend and Supabase auth. Everything worked fine — until users (me) kept getting randomly logged out for no obvious reason. No errors. No warnings. Just suddenly back at the login screen. What Was Actually Happening Most JWT auth setups use two refresh strategies: Proactive — a timer fires ~1 minute before the access token expires and refreshes it silently in the background. Reactive — an Axios interceptor catches 401 errors and refreshes the token when a request fails. The problem: both fired at the same time. Here's the exact sequence: Proactive timer fires → sends refresh token to backend An API call returns 401 simultaneously → interceptor also sends the same refresh token Backend receives two requests with the same refresh token First one succeeds → Supabase rotates the token, old one is now dead Second one fails with 401 → interceptor hits the failure path → clears localStorage → redirects to /login User