Incident postmortem · INC-2026-003

JWT refresh rotation race

SEV-2·mitigated

Concurrent refresh requests occasionally minted overlapping tokens; mitigated by adding a per-user refresh lock. Permanent fix in flight.

Started

Mar 18, 2026, 10:07 PM UTC

Resolved

Mar 18, 2026, 11:34 PM UTC

Duration

1h 27m

Root cause

Two browser tabs racing to refresh the same session minted two valid refresh tokens; the second mint silently invalidated the first, surfacing as a soft sign-out for the slower tab.

Customer impact

An estimated 0.4% of sessions across a 90-minute window saw an unexpected re-login prompt. No credential issuance or hire attestation was affected.

Remediation

Added a per-user advisory lock around the refresh-mint code path.
Wrote a regression test exercising 16 concurrent refresh attempts and asserting exactly one token survives.
Permanent fix — switch refresh to a CAS-by-version_id update — scheduled for the next session-store migration.