Skip to content

Re-auth on HTTP Error 401

When you create a long running service (daemon), you want authentication to be refreshed automatically, without having to intervene manually. A typical example is a service that will post values to Obelisk, or a service that continually processes values from Obelisk.


In this step by step guide we are assuming a service that acts on its own behalf.

Schematic overview

Steps for a long running service

Steps to follow

Beginning at the start, you want your service to start its initial authenticaton/authorization with Obelisk. This is a 2-phase protocol that requires an Auth Token to get the eventual RPT token that is required to talk to the Obelisk APIs.

Get Auth Token

To get the Auth token, you simply follow step 1.2 of the Auth details section. Temporarily store this auth token, because you will need it to request the RPT token.

Get RPT Token

To get the RPT token, you simply follow step 2 of the Auth details section. The access_token mentioned there, is the Auth Token acquired in our previous step. Now store the received RPT token and its refresh_token plus the refresh_expires_in time. You will need it later.

Do API request

You can now do regular API calls by just adding a header Authorization with Bearer rpt_token, as explained in step 3 of the Auth details section.

Response code 401

If you encounter an HTTP response code 401, this means that your RPT token expired. This is normal, as RPT tokens only have a lifetime of a few minutes by design. In this case you should check the expiration time of the refresh token (which is in seconds!) that we acquired in the Get RPT Token step. There are two possible outcomes.

A. RPT refresh_token NOT expired

If the refresh_token is not expired yet, you can simply refresh the RPT token, by following the procedure explained in step 4 of the Auth details section. Don't forget to save your new tokens. You should now be able to call the Obelisk APIs again. Until the next 401.

B. RPT refresh_token IS expired

If the refresh_token is expired, than the easiest approach is to redo the auth procedure from the start. The reasoning for this is that it is highly likely that your original Auth Token is also expired by now, as is the Auth Token's refresh_token. The more pagmatic option here is to immediatly restart the auth procedure to get a new RPT token as fast as possible.