RORK LABJP
MAX — Rork Max generates native Swift for iPhone, iPad, Apple Watch, Apple TV, and Vision Pro, with 2-click App Store publishing and no Xcode requiredSTACK — Standard Rork builds cross-platform mobile apps with React Native (Expo); choosing between the two by use case is the key decisionFOCUS — Unlike web-first tools such as Bolt or Lovable, Rork specializes in native iOS and Android app generationBUGS — A hands-on review reports Rork resolved about 70% of bugs without manual help, with the remaining 30% needing edits in the exported codebaseFUNDING — Rork raised $2.8M from a16z (Andreessen Horowitz)PRICING — It is free to start, with paid plans from $25/month, so you can try before committingMAX — Rork Max generates native Swift for iPhone, iPad, Apple Watch, Apple TV, and Vision Pro, with 2-click App Store publishing and no Xcode requiredSTACK — Standard Rork builds cross-platform mobile apps with React Native (Expo); choosing between the two by use case is the key decisionFOCUS — Unlike web-first tools such as Bolt or Lovable, Rork specializes in native iOS and Android app generationBUGS — A hands-on review reports Rork resolved about 70% of bugs without manual help, with the remaining 30% needing edits in the exported codebaseFUNDING — Rork raised $2.8M from a16z (Andreessen Horowitz)PRICING — It is free to start, with paid plans from $25/month, so you can try before committing
Articles/Dev Tools
Dev Tools/2026-06-15Advanced

Keeping Login Alive in a Rork-Built Expo App — Preventing Token-Refresh Races with Single-Flight

Add login to the Expo app Rork generates and it works at first, but in production the 'I got logged out on my own' reports creep in. Most are token-refresh races. This covers a reliability design that single-flights refresh, stores tokens safely, and handles expiry correctly.

Expo84Authentication5TokensReliability2Rork415
Premium Article

About a week after shipping an app with login added, "I keep finding myself logged out" reports started trickling in. I could not reproduce it. My own device never logged me out, yet specific users were rejected over and over.

Lining up the logs, I found multiple requests starting a token refresh at the same instant: one invalidating the old token, the other overwriting storage with the now-invalidated token. A token-refresh race. Add login as-is to the Expo app Rork generates and this race stays hidden, then bares its teeth in production once users grow. Here I share a reliability design that keeps login alive.

Why it does not reproduce on your device

During development, operations are usually serial. Open a screen, press a button, see the result. Requests do not overlap. In production, though, when the app resumes, several screens fetch data at once and all the requests receive 401 at nearly the same time.

If each request then starts its own refresh, refreshes multiply simultaneously. Many auth backends rotate the refresh token on first use and revoke the old one, so the second and later refreshes fail holding an "already-used token." As a result, the freshly obtained new token gets overwritten by a late-arriving failure response, and the user is suddenly logged out.

It does not reproduce on your device because you are not overlapping requests. This kind of bug grows in proportion to user count and network slowness, so it is hardest to find right after launch. I myself passed App Store review with no issue, yet watched the tickets grow over the first week.

Single-flight to unify refresh

The core of the fix is this: no matter how many requests hit 401 at once, run the token refresh only once. Only the first to start refresh actually talks to the network; the rest wait and share its result. This is called single-flight.

let refreshPromise = null;
 
async function getFreshToken(refreshFn) {
  // If a refresh is already in flight, share and await that Promise
  if (refreshPromise) return refreshPromise;
 
  refreshPromise = (async () => {
    try {
      const tokens = await refreshFn();   // the actual refresh call runs once
      await saveTokens(tokens);
      return tokens.accessToken;
    } finally {
      refreshPromise = null;              // always release on completion
    }
  })();
 
  return refreshPromise;
}

The key is releasing in finally. Forget it and after one failed refresh refreshPromise lingers, leaving later refreshes returning the old result forever. I once forgot this release and created the worse bug of "log out once, never log in again."

Retry once on 401

Once single-flight yields a new token, retry the failed request with it exactly once. Unlimited retries loop infinitely when the token truly is revoked, so cap retries at one.

async function fetchWithAuth(url, options, deps) {
  let token = await deps.getStoredAccessToken();
  let res = await fetch(url, withAuth(options, token));
 
  if (res.status === 401) {
    token = await getFreshToken(deps.refreshFn);   // single-flight here
    if (!token) return res;                         // refresh itself failed = logout confirmed
    res = await fetch(url, withAuth(options, token)); // retry once only
  }
  return res;
}

Not pressing on when the refresh itself fails matters too. If the refresh token is genuinely revoked, no number of tries will pass. In that case, cleanly returning to the login screen makes behavior more predictable for the user.

Thank you for reading this far.

Continue Reading

What follows includes implementation code, benchmarks, and practical content we hope you'll find useful. This site runs without ads — server and development costs are supported entirely by members like you. If it's been helpful, we'd be truly grateful for your support.

WHAT YOU'LL LEARN
An implementation that prevents the race where multiple requests hit 401 at once and double-fire refresh, using single-flight
Criteria for balancing revocation and leak risk with refresh-token rotation and SecureStore storage
How clock skew and offline recovery cause 'spontaneous logout,' and the retry-and-grace design that cut my support tickets by about 80%
Secure payment via Stripe · Cancel anytime

Unlock This Article

Get full access to the rest of this article. Buy once, read anytime. This site is ad-free — your support goes directly toward keeping it running.

or
Unlock all articles with Membership →
Share

Thank You for Reading

Rork Lab is ad-free, supported entirely by members like you. We publish practical guides daily with implementation code, benchmarks, and production-ready patterns. If you've found it useful, we'd love to have you on board.

  • Copy-paste ready implementation code
  • New advanced guides published daily
  • $5/mo or $10 for lifetime access
View Membership →

Related Articles

Dev Tools2026-04-24
Adding Sign in with Apple to Your Rork App — What Review Actually Requires and Where People Get Stuck
A practical walkthrough for adding Sign in with Apple to an existing Rork app. Covers the exact Guideline 4.8 requirements that reject Google/Facebook-only apps, the non-obvious parts of expo-apple-authentication, backend token verification with identityToken, and the account deletion requirement most tutorials skip.
Dev Tools2026-06-16
Notifications You Can Finish Without Opening the App — Interactive Notification Actions for Rork Apps
Those buttons and text fields that appear when you long-press a notification. Here is how to implement interactive notification actions in a Rork-built Expo app for an experience that completes without launching, including the background-execution pitfalls.
Dev Tools2026-06-16
Landing Users on the Right Screen Right After Install — Deferred Deep Links for Rork Apps
When someone follows a campaign link and installs through the store, the 'where did they come from' context is gone by launch time. Here is how to implement deferred deep linking in a Rork-built app without any third-party SDK.
📚RECOMMENDED BOOKS
Build a Large Language Model (From Scratch)
Sebastian Raschka
LLM Dev
Prompt Engineering for LLMs
Berryman & Ziegler
Prompting
AI Engineering
Chip Huyen
AI Eng
* Contains affiliate links
See all →