Found it — race in services/auth/token_cache.go. Concurrent refreshes for the same subject both miss cache and the slower one overwrites the fresh token with a stale one → next request gets a 502. Deploy a3f9c1e exposed it by dropping the per-request mutex.
Draft PR: #48217 · CI green · +71 −12
Open session in Claude