OpenRouter Auth Token Expires Mid-Session — AADSTS90009 After ~60 Min Silent Refresh

What this error means

MCP silent token refresh sends v1 resource=<clientId> instead of v2 scope= → AADSTS90009 after ~60 min / GitHub Copilot API token expires mid-session with no proactive refresh, causing 401 errors in long-running subagents is a GitHub Copilot failure pattern reported for developers trying to developers using github copilot cli via mcp sessions experience silent oauth token expiration after ~60 minutes. the silent refresh sends outdated oauth v1 resource format instead of v2 scope format, causing azure ad rejection (aadsts90009). long-running coding sessions die unexpectedly without re-auth flow.. Based on the imported evidence, treat this as a tool-specific troubleshooting page rather than a generic API error.

Why this happens

Three distinct but related GitHub issues: copilot-cli#3583 (AADSTS90009 after ~60min silent refresh v1 vs v2 format), openclaw/openclaw#31132 (Copilot API token expires mid-session with no proactive refresh, 401 errors in long-running subagents), copilot-sdk#867 (authentication error on Debian Bookworm but same setup works on Windows). The v1→v2 OAuth transition is causing production-reliability issues for teams using Copilot CLI in CI/coding agents. Category: GitHub Copilot (Copilot-specific).

Common causes

• Three distinct but related GitHub issues: copilot-cli#3583 (AADSTS90009 after ~60min silent refresh v1 vs v2 format), openclaw/openclaw#31132 (Copilot API token expires mid-session with no proactive refresh, 401 errors in long-running subagents), copilot-sdk#867 (authentication error on Debian Bookworm but same setup works on Windows). The v1→v2 OAuth transition is causing production-reliability issues for teams using Copilot CLI in CI/coding agents. Category: GitHub Copilot (Copilot-specific).

Quick fixes

1. Confirm the exact error signature matches MCP silent token refresh sends v1 resource=<clientId> instead of v2 scope= → AADSTS90009 after ~60 min / GitHub Copilot API token expires mid-session with no proactive refresh, causing 401 errors in long-running subagents.
2. Check the GitHub Copilot account, local tool state, and provider configuration involved in the failing workflow.
3. Verify the account session, API key, provider settings, and environment where the failing tool is running.

Platform/tool-specific checks

• Verify the command, editor, extension, or API client that produced the error.
• Compare local settings with CI, deployment, or editor-level settings when the error appears in only one environment.
• Avoid deleting credentials, local model data, or project settings until the failing scope is clear.

Step-by-step troubleshooting

1. Capture the exact error message and the command, editor action, or request that triggered it.
2. Check whether the failure is account/auth, quota/rate, model/provider, local runtime, or deployment configuration.
3. Review the source evidence below and compare it with your environment.
4. Apply one change at a time and rerun the smallest failing action.
5. Keep the working fix documented for the team or deployment environment.

How to prevent it

• Keep provider/tool configuration documented.
• Record non-secret diagnostics such as tool version, provider name, model name, and command path.
• Add a lightweight check before CI or production workflows depend on the tool.