tickernelz · RaphaelManke · Mar 18, 2026
diff --git a/src/core/auth/token-refresher.ts b/src/core/auth/token-refresher.ts
@@ -70,7 +70,8 @@ export class TokenRefresher {
         error.code === 'InvalidTokenException' ||
         error.code === 'HTTP_401' ||
         error.code === 'HTTP_403' ||
-        error.message.includes('Invalid refresh token provided'))
+        error.message.includes('Invalid refresh token provided') ||
+        error.message.includes('Invalid grant provided'))
     ) {
       this.accountManager.markUnhealthy(account, error.message)
       await this.repository.batchSave(this.accountManager.getAccounts())

diff --git a/src/plugin/accounts.ts b/src/plugin/accounts.ts
@@ -177,7 +177,7 @@ export class AccountManager {
       delete acc.unhealthyReason
       delete acc.recoveryTime
       kiroDb.upsertAccount(acc).catch(() => {})
-      writeToKiroCli(acc).catch(() => {})
+      writeToKiroCli(acc).catch((e) => logger.warn('Failed to write token back to Kiro CLI', e))
     }
   }
   markRateLimited(a: ManagedAccount, ms: number): void {

diff --git a/src/plugin/health.ts b/src/plugin/health.ts
@@ -2,6 +2,8 @@ export function isPermanentError(reason?: string): boolean {
   if (!reason) return false
   return (
     reason.includes('Invalid refresh token') ||
+    reason.includes('Invalid grant provided') ||
+    reason.includes('invalid_grant') ||
     reason.includes('ExpiredTokenException') ||
     reason.includes('InvalidTokenException') ||
     reason.includes('HTTP_401') ||

diff --git a/src/plugin/sync/kiro-cli.ts b/src/plugin/sync/kiro-cli.ts
@@ -130,7 +130,8 @@ export async function syncFromKiroCli() {
         if (
           existingById &&
           existingById.is_healthy === 1 &&
-          existingById.expires_at >= cliExpiresAt
+          existingById.expires_at >= cliExpiresAt &&
+          existingById.expires_at > Date.now()
         )
           continue