[PR #33] [CLOSED] feat(auth): add support for multiple refresh tokens #62

New issue

Closed

opened 2026-02-27 07:17:47 +03:00 by kerem · 0 comments

kerem commented

2026-02-27 07:17:47 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/jwadow/kiro-gateway/pull/33
Author: @Kartvya69
Created: 1/11/2026
Status: ❌ Closed

Base: main ← Head: feat/multi-refresh-token-support

📝 Commits (4)

8008653 feat(auth): add support for multiple refresh tokens
5260de5 feat(auth): implement token rotation relay with health tracking
d5b5605 feat(auth): add background refresh to keep all tokens warm
e6d540a Merge branch 'jwadow:main' into feat/multi-refresh-token-support

📊 Changes

5 files changed (+570 additions, -64 deletions)

View changed files

📝 kiro/auth.py (+513 -47)
📝 kiro/config.py (+6 -2)
📝 kiro/routes_openai.py (+28 -1)
📝 main.py (+12 -3)
📝 tests/unit/test_auth_manager.py (+11 -11)

📄 Description

Summary

Add comprehensive multi-token support with rotation, failover, and background refresh:

Token Rotation: Round-robin distribution across all healthy tokens
Automatic Failover: On failure, tries next healthy token automatically
Health Tracking: Exponential backoff for failed tokens (avoids hammering bad tokens)
Background Refresh: Proactively refreshes ALL tokens every 5 minutes
Token Pool: Each token maintains its own access token for zero-latency requests
Monitoring Endpoint: GET /health/tokens shows pool status and per-token health

How It Works

# .env - comma-separated tokens
REFRESH_TOKEN=token1,token2,token3

On Startup:

Background task starts automatically
Refreshes all tokens immediately
Repeats every 5 minutes to keep pool warm

On Request:

Check pool for pre-refreshed token → instant return
If none available → on-demand refresh with round-robin
On failure → rotate to next healthy token

New Monitoring Endpoint

curl -H "Authorization: Bearer $API_KEY" http://localhost:8000/health/tokens

Returns:

background_refresh_active: whether background task is running
Per-token stats: has_valid_token, expires_at, healthy, success/failure counts

Test plan

All 71 auth manager unit tests pass
TokenHealth class tracks per-token access tokens
Round-robin rotation works correctly
Background refresh integrates with app lifespan
get_access_token() uses pre-refreshed tokens from pool

CLA

I have read the CLA and I accept its terms.

Author: @Kartvya69

🤖 Generated with Claude Code

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/jwadow/kiro-gateway/pull/33 **Author:** [@Kartvya69](https://github.com/Kartvya69) **Created:** 1/11/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `feat/multi-refresh-token-support` --- ### 📝 Commits (4) - [`8008653`](https://github.com/jwadow/kiro-gateway/commit/8008653d78de6e639bfbfa5a168497cf59eed34d) feat(auth): add support for multiple refresh tokens - [`5260de5`](https://github.com/jwadow/kiro-gateway/commit/5260de59423bd91097e989551f01ed3ee197b290) feat(auth): implement token rotation relay with health tracking - [`d5b5605`](https://github.com/jwadow/kiro-gateway/commit/d5b5605c6580d0461febcc0723360f3fd77bf0f5) feat(auth): add background refresh to keep all tokens warm - [`e6d540a`](https://github.com/jwadow/kiro-gateway/commit/e6d540a41c1733bf36fd204c6a886cb82207124c) Merge branch 'jwadow:main' into feat/multi-refresh-token-support ### 📊 Changes **5 files changed** (+570 additions, -64 deletions) <details> <summary>View changed files</summary> 📝 `kiro/auth.py` (+513 -47) 📝 `kiro/config.py` (+6 -2) 📝 `kiro/routes_openai.py` (+28 -1) 📝 `main.py` (+12 -3) 📝 `tests/unit/test_auth_manager.py` (+11 -11) </details> ### 📄 Description ## Summary Add comprehensive multi-token support with rotation, failover, and background refresh: - **Token Rotation**: Round-robin distribution across all healthy tokens - **Automatic Failover**: On failure, tries next healthy token automatically - **Health Tracking**: Exponential backoff for failed tokens (avoids hammering bad tokens) - **Background Refresh**: Proactively refreshes ALL tokens every 5 minutes - **Token Pool**: Each token maintains its own access token for zero-latency requests - **Monitoring Endpoint**: `GET /health/tokens` shows pool status and per-token health ### How It Works ```bash # .env - comma-separated tokens REFRESH_TOKEN=token1,token2,token3 ``` **On Startup:** 1. Background task starts automatically 2. Refreshes all tokens immediately 3. Repeats every 5 minutes to keep pool warm **On Request:** 1. Check pool for pre-refreshed token → instant return 2. If none available → on-demand refresh with round-robin 3. On failure → rotate to next healthy token ### New Monitoring Endpoint ```bash curl -H "Authorization: Bearer $API_KEY" http://localhost:8000/health/tokens ``` Returns: - `background_refresh_active`: whether background task is running - Per-token stats: `has_valid_token`, `expires_at`, `healthy`, success/failure counts ## Test plan - [x] All 71 auth manager unit tests pass - [x] TokenHealth class tracks per-token access tokens - [x] Round-robin rotation works correctly - [x] Background refresh integrates with app lifespan - [x] get_access_token() uses pre-refreshed tokens from pool ## CLA I have read the CLA and I accept its terms. --- Author: [@Kartvya69](https://github.com/Kartvya69) 🤖 Generated with [Claude Code](https://claude.com/claude-code) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>