fix(auth): 🔨 tighten oauth refresh intervals, expand refresh buffers, improve logging and add iFlow docs

- lower default OAUTH_REFRESH_INTERVAL from 3600s to 600s (updated .env.example, README, and background refresher)
- move background refresher sleep to after proactive refresh loop and suppress noisy info log to avoid unnecessary startup delay/noise
- increase REFRESH_EXPIRY_BUFFER_SECONDS for Gemini (30 minutes) and Qwen (3 hours)
- convert several lib_logger.info calls to debug and add richer error logging for HTTP failures and missing refresh tokens
- add Content-Type/Accept headers for Qwen token requests and surface HTTP error bodies for easier troubleshooting
- add extracted documentation: iFlow OAuth flow and iFlow JS bundle summary (docs/iflow_auth_flow_extracted.md, docs/iflow_js_bundle_summary.md)

.env.example

@@ -166,7 +166,7 @@ MAX_CONCURRENT_REQUESTS_PER_KEY_IFLOW=1
 # --- OAuth Refresh Interval ---
 # How often, in seconds, the background refresher should check and refresh
 # expired OAuth tokens.
-OAUTH_REFRESH_INTERVAL=3600 # Default is 3600 seconds (1 hour)
+OAUTH_REFRESH_INTERVAL=600 # Default is 600 seconds (10 minutes)
 
 # --- Skip OAuth Initialization ---
 # Set to "true" to prevent the proxy from performing the interactive OAuth

README.md

@@ -480,9 +480,9 @@ The following advanced settings can be added to your `.env` file (or configured
 
 #### OAuth and Refresh Settings
 
--   **`OAUTH_REFRESH_INTERVAL`**: Controls how often (in seconds) the background refresher checks for expired OAuth tokens. Default is `3600` (1 hour).
+-   **`OAUTH_REFRESH_INTERVAL`**: Controls how often (in seconds) the background refresher checks for expired OAuth tokens. Default is `600` (10 minutes).
     ```env
-    OAUTH_REFRESH_INTERVAL=1800  # Check every 30 minutes
+    OAUTH_REFRESH_INTERVAL=600  # Check every 10 minutes
     ```
 
 -   **`SKIP_OAUTH_INIT_CHECK`**: Set to `true` to skip the interactive OAuth setup/validation check on startup. Essential for non-interactive environments like Docker containers or CI/CD pipelines.

docs/iflow_auth_flow_extracted.md

@@ -0,0 +1,185 @@
+**iFlow OAuth Flow – Extracted From Bundle (`iflow.js`)**
+
+Purpose
+- Provide a precise, implementation-ready description of the iFlow authentication flow as embedded in the bundled CLI (`external/iflow-cli-tarball/package/bundle/iflow.js`).
+- Enable faithful replication in other tooling without re-reading the minified bundle.
+
+Scope
+- Focuses ONLY on iFlow-specific authorization (NOT generic Google / other OAuth client code also present in the bundle).
+- Omits internal unrelated libraries (telemetry, localization, unrelated OAuth handlers for other issuers).
+
+Overview of Sequence
+1. Determine callback port: Either `OAUTH_CALLBACK_PORT` env var, or dynamically allocate an ephemeral free port.
+2. Build local redirect URI: `http://localhost:{port}/oauth2callback` (host override via `OAUTH_CALLBACK_HOST`, default `localhost`).
+3. Generate anti-CSRF `state`: 32 random hex bytes.
+4. Construct authorization URL:
+   - Base: `https://iflow.cn/oauth`
+   - Query parameters:
+     - `loginMethod=phone`
+     - `type=phone`
+     - `redirect=<encoded redirect URL>&state=<state>` (note: the bundle concatenates and encodes the redirect first, then appends `&state=` and the state value; effectively `redirect` holds both the actual callback URL and embeds the state parameter)
+     - `client_id=10009311001`
+5. Display URL & attempt to open it in the system browser.
+6. Local HTTP server listens for requests to `/oauth2callback`.
+7. On callback:
+   - Reject if path not `/oauth2callback`.
+   - If `error` param present: redirect to `https://iflow.cn/oauth/error` and fail.
+   - If `state` mismatch: respond with plain text error (“State mismatch. Possible CSRF attack”).
+   - If `code` is present and `state` matches: exchange code for tokens.
+8. Token exchange: POST `https://iflow.cn/oauth/token`.
+9. On success: persist credentials (JSON file via internal helper), then fetch user info to obtain `apiKey`.
+10. Redirect browser to success page: `https://iflow.cn/oauth/success`.
+
+Authorization URL Details
+- Final composed form (illustrative – values substituted):
+  ```
+  https://iflow.cn/oauth?loginMethod=phone&type=phone&redirect={ENCODED_REDIRECT_AND_STATE}&client_id=10009311001
+  ```
+- Important nuance: The bundle embeds the state inside the `redirect` query value (pattern: `redirect=<encodeURIComponent(callbackUrl)> &state=<state>` BEFORE concatenation). Replication MAY instead send state as a separate top-level query parameter if the server tolerates it; however to remain faithful, mimic the bundle pattern: keep `state` appended inside the `redirect` value.
+  - Conservative replication: EXACT concatenation used by bundle:
+    - Let `callback = http://localhost:{port}/oauth2callback`
+    - Let `state = <random-hex>`
+    - Let `redirectParamValue = encodeURIComponent(callback) + "&state=" + state`
+    - Query param: `redirect=redirectParamValue`
+    - Full URL: `https://iflow.cn/oauth?loginMethod=phone&type=phone&redirect=${redirectParamValue}&client_id=10009311001`
+
+Callback Handling Logic
+- Expected parameters (in parsed search params of original request URL):
+  - `code`: authorization code (required for success)
+  - `state`: must equal originally generated random hex string
+  - `error`: signals authentication failure
+- Error conditions:
+  - Missing `code`: treated as failure ("noCodeFound").
+  - Missing or mismatched `state`: potential CSRF → failure.
+  - Any `error` param → failure.
+- On success: code progresses to token exchange.
+
+Token Exchange (Authorization Code Grant)
+- Endpoint: `https://iflow.cn/oauth/token`
+- Method: `POST`
+- Headers:
+  - `Content-Type: application/x-www-form-urlencoded`
+  - `Authorization: Basic <base64(client_id:client_secret)>`
+- Body parameters (URL-encoded form):
+  - `grant_type=authorization_code`
+  - `code=<authorization_code>`
+  - `redirect_uri=http://localhost:{port}/oauth2callback` (MUST match original callback URI before encoding inside redirect param)
+  - `client_id=10009311001`
+  - `client_secret=4Z3YjXycVsQvyGF1etiNlIBB4RsqSDtW`
+- Response JSON fields consumed:
+  - `access_token`
+  - `refresh_token`
+  - `expires_in` (converted to absolute expiry timestamp)
+  - `token_type`
+  - `scope`
+
+User Info / API Key Retrieval
+- Endpoint: `https://iflow.cn/api/oauth/getUserInfo?accessToken=<access_token>`
+- Method: `GET`
+- Response expected shape (simplified):
+  ```json
+  {
+    "success": true,
+    "data": { "apiKey": "...", "email": "..." }
+  }
+  ```
+- On success, the extracted `apiKey` is appended to stored credentials and cached.
+- Retries: The bundle performs up to 3 retries with backoff for transient (5xx / 408 / 429) failures.
+
+Persisted Credential Structure (conceptual)
+- Keys stored: `access_token`, `refresh_token`, `expiry_date`, `token_type`, `scope`, optionally `apiKey`.
+- File path: derived via internal helper (not exposed here); replication may choose its own path (e.g. `~/.iflow/credentials.json`).
+  - Permissions set mode `0600` (decimal 384) when writing.
+
+Refresh Flow
+- Trigger conditions:
+  - Token nearing expiry (< 24 hours) or explicit refresh check in background tasks.
+- Refresh request:
+  - POST `https://iflow.cn/oauth/token`
+  - Headers: same as authorization-code exchange.
+  - Body params:
+    - `grant_type=refresh_token`
+    - `refresh_token=<stored_refresh_token>`
+    - `client_id=10009311001`
+    - `client_secret=4Z3YjXycVsQvyGF1etiNlIBB4RsqSDtW`
+- Response handling mirrors initial token response (update expiry, access/refresh tokens, scope, token type). May re-fetch user info to ensure `apiKey` is current.
+
+PKCE Status
+- The bundle contains a generic OAuth library with PKCE helpers (code_verifier / code_challenge generation) for other issuers.
+- The iFlow-specific code path DOES NOT include `code_challenge` or `code_verifier` in its authorization or token requests.
+- Conclusion: PKCE is NOT required for the current iFlow CLI flow; replication should omit PKCE unless the provider later enforces it.
+
+Environment Variables Influencing Flow
+- `OAUTH_CALLBACK_PORT`: If set and valid (1–65535), use as callback port instead of ephemeral port.
+- `OAUTH_CALLBACK_HOST`: Hostname for listening; default `localhost`.
+- (Potential others exist for generic flows, but only these are critical for iFlow-specific path.)
+
+Security Considerations
+- State validation prevents CSRF / unsolicited redirects.
+- The unusual embedding of state inside the `redirect` parameter means the state also appears server-side only if parsed out; exact replication should preserve this pattern unless confirmed safe to normalize.
+- Basic auth header exposes client_secret; always use HTTPS (the CLI does). Do not log raw Authorization headers.
+- Persisted credentials should be stored with restrictive file permissions.
+- Refresh token invalidation must trigger re-authentication (bundle clears credentials on failure).
+
+Error Handling Patterns (Simplified)
+- Authorization errors: Redirect user to error page `https://iflow.cn/oauth/error`.
+- Token request failure: Inspect HTTP status & status text; raise user-facing error.
+- Refresh failure or expiry: Clear credential file and require re-login.
+- User info failures: Retry transient errors (5xx / 408 / 429), otherwise log and continue without apiKey.
+
+Replication Checklist
+1. Generate random hex `state` (32 bytes recommended).  
+2. Select callback port: env override or ephemeral free port.  
+3. Build callback URL `http://localhost:{port}/oauth2callback`.  
+4. Compose authorization URL exactly as bundle does (embedded `&state=` inside `redirect` value).  
+5. Launch local HTTP server; validate `state`, extract `code`.  
+6. Exchange code using Basic auth + form body (include both client_id/client_secret).  
+7. Store credentials; compute `expiry_date = now + expires_in*1000`.  
+8. Fetch user info to get `apiKey`; attach to stored credentials.  
+9. Implement refresh POST (grant_type=refresh_token) with same auth style.  
+10. Implement retry & expiry logic; clear credentials if permanently invalid.  
+11. Never include PKCE unless provider changes requirements.  
+12. Optionally open browser automatically and present fallback URL if open fails.  
+
+Minimal Pseudocode Outline (Language-Agnostic)
+```text
+state = randomHex(32)
+port = env.OAUTH_CALLBACK_PORT || findFreePort()
+callback = "http://localhost:" + port + "/oauth2callback"
+redirectParamValue = urlencode(callback) + "&state=" + state
+authUrl = "https://iflow.cn/oauth?loginMethod=phone&type=phone&redirect=" + redirectParamValue + "&client_id=10009311001"
+
+openBrowser(authUrl)
+code = await waitForCallback(callback, state)
+
+tokenResp = POST https://iflow.cn/oauth/token
+  Headers: Content-Type, Authorization: Basic base64(client_id:client_secret)
+  Body (form): grant_type=authorization_code, code, redirect_uri=callback, client_id, client_secret
+
+creds = {access_token, refresh_token, expiry_date=now+expires_in*1000, token_type, scope}
+userInfo = GET https://iflow.cn/api/oauth/getUserInfo?accessToken=creds.access_token
+if userInfo.success: creds.apiKey = userInfo.data.apiKey
+store(creds)
+
+// Refresh flow
+if nearing expiry:
+  refreshResp = POST https://iflow.cn/oauth/token (grant_type=refresh_token,...)
+  update creds, optionally re-fetch apiKey
+```
+
+Testing Recommendations
+- Simulate callback manually with crafted URL containing correct `code` & `state` to test server path.
+- Validate rejection on mismatched state.
+- Confirm `apiKey` presence after user info call.
+- Force refresh by adjusting expiry_date to near past and invoking refresh routine.
+
+Future-Proofing
+- Monitor provider announcements for PKCE enforcement; if required, switch to `code_challenge` / `code_verifier` standard pattern.
+- Consider switching state embedding to separate query parameter if provider standardizes (requires test).
+
+Summary
+- The iFlow CLI uses a straightforward OAuth2 Authorization Code Grant with Basic client authentication and NO PKCE.
+- The distinctive element is embedding `state` within the `redirect` parameter value.
+- Replication requires careful reconstruction of the authorization URL, robust callback validation, token + refresh exchanges, and an additional user info call to retrieve the operational `apiKey`.
+
+-- End of extracted flow documentation

docs/iflow_js_bundle_summary.md

@@ -0,0 +1,86 @@
+**iFlow JS Bundle Summary**
+
+Path: `external/iflow-cli-tarball/package/bundle/iflow.js`
+
+Purpose
+- A single-file bundled/minified Node/Browser CLI distribution for the iFlow CLI.
+- Contains the CLI runtime, UI strings, crypto helpers, networking logic and an OAuth-based authentication flow used by iFlow's tooling.
+
+Bundle metadata
+- File size (approx): ~10.2 MB (minified/bundled, many libraries included).
+- Other files in same folder: `iflow-cli-vscode-ide-companion-*.vsix`, `sandbox-*.sb` files (IDE companions / sandbox artifacts).
+
+High-level contents and useful targets
+- Crypto helpers
+  - Implements both browser and Node crypto adapters (named `BrowserCrypto` and `NodeCrypto`).
+  - Exposed helpers include: `sha256DigestHex`, `sha256DigestBase64`, random bytes generator, HMAC signing helpers, and base64 helpers.
+  - These utilities are used to compute PKCE code_challenge values (S256) and other digests.
+
+- PKCE evidence
+  - The bundle includes code that computes SHA-256 digests and derives hex/base64 strings. This is strong evidence PKCE is used by the CLI.
+  - Keywords to look for: `sha256DigestHex`, `code_challenge`, `code_verifier`, `code_challenge_method`, `PKCE`, `S256`.
+
+- OAuth + Browser flow
+  - The CLI appears to use a browser-based authorization flow:
+    - It constructs an authorization URL (authUrl) and attempts to open it in the user's browser.
+    - It starts or expects a local callback path (the pattern `/oauth2callback` appears in the bundle).
+    - After the browser redirects to the local callback, the bundle's callback handler extracts `code` and `state` and resolves them (pattern seen as resolving an object like `{code: c, state: u}`).
+  - User-facing strings found in the bundle include messages and instructions such as:
+    - "Attempting to open authentication page in your browser."
+    - "Navigate to the URL below to sign in" (or similar localized messages).
+
+- Token exchange and API-key retrieval
+  - The bundle contains logic that exchanges an authorization code for tokens and then retrieves user info to extract provider-specific `apiKey` (iFlow uses a separate API key for API calls).
+  - Token exchange patterns include POSTing to token endpoints and handling success/error JSON responses.
+  - Note: In some CLI flows, both PKCE and client-secret based exchanges may be present; inspect the exact token-request payload to confirm which parameters are sent.
+
+- Additional artifacts bundled
+  - Localization strings, telemetry/logging code, UI wrappers, and other third-party libraries are bundled together, making raw inspection noisy.
+
+Practical guidance for other agents
+- Why it's tricky
+  - `iflow.js` is minified/compiled and contains many third-party modules concatenated together. This makes it hard to read directly—searching for specific keywords is the fastest approach.
+
+- Key search terms (recommended)
+  - `sha256`, `sha256DigestHex`, `code_challenge`, `code_verifier`, `code_challenge_method`, `authUrl`, `oauth2callback`, `Attempting to open`, `authUrl`, `authorize`, `token`, `getUserInfo`, `apiKey`, `redirect`, `state`.
+
+- Useful PowerShell commands (run at repo root) to inspect the bundle quickly
+  - Search for keywords:
+```powershell
+Select-String -Path external\iflow-cli-tarball\package\bundle\iflow.js -Pattern "sha256|code_challenge|authUrl|oauth2callback|getUserInfo|apiKey|Attempting to open" -SimpleMatch
+```
+  - View a nearby window of lines (example indices found via Select-String):
+```powershell
+# read lines 940..1005 (example offsets)
+(Get-Content -Path 'external\iflow-cli-tarball\package\bundle\iflow.js')[940..1005] -join "`n"
+```
+
+- How to extract provider-specific values
+  1. Search for `client_id`, `authorize`, `oauth` and `token` strings to find endpoint constants and client identifiers.
+  2. Look for `authUrl` construction code to see which query parameters are included (e.g., `redirect`, `state`, `client_id`, `code_challenge`).
+  3. Inspect token exchange code to see whether it sends `client_secret` or `code_verifier` (or both).
+
+- Repro steps for someone implementing the auth flow in another language (concise)
+  1. Locate the `authUrl` construction and confirm required query params (client_id, redirect, state, any `loginMethod`/`type` parameters).
+ 2. Confirm whether PKCE is required by checking for `code_challenge`/`code_challenge_method` in the auth request and `code_verifier` in the token request.
+ 3. Confirm redirect URI path (`/oauth2callback` pattern) and port if the CLI starts a local callback server.
+ 4. Confirm token exchange method and auth method (Basic auth with client_id:client_secret in Authorization header OR an exchange that uses client_secret in body, or an exchange that uses `code_verifier` and omits client_secret).
+ 5. Confirm post-token user info fetch that returns `apiKey` separately—recreate that call to obtain the API key.
+
+- Recommendations / next actions for an agent
+  - If you need to replicate exactly, extract the authUrl and token request payloads verbatim from the bundle.
+  - If the bundle uses PKCE, add PKCE (code_verifier + code_challenge=S256) to your client implementation. If it uses Basic client_secret authentication instead, ensure you include the client_secret in exchanges.
+  - Use a modular approach: implement the browser + callback pattern, but make the PKCE piece optional/conditional so it can work with servers that require or permit it.
+
+- References inside this repo (helpful snippets to reuse)
+  - Example PKCE helper exists in `src/rotator_library/providers/qwen_auth_base.py` — you can reuse code-verifier / code-challenge generation from there.
+
+Appendix: quick checklist for auditors
+- [ ] Confirm `authUrl` query parameters.
+- [ ] Confirm presence of `code_challenge` in auth request.
+- [ ] Confirm presence of `code_verifier` in token request.
+- [ ] Confirm token exchange auth method (Basic, client_secret body param, or neither).
+- [ ] Confirm local callback path and default port.
+- [ ] Confirm user-info endpoint that returns `apiKey`.
+
+-- End of summary

src/rotator_library/background_refresher.py

@@ -17,11 +17,11 @@ class BackgroundRefresher:
     """
     def __init__(self, client: 'RotatingClient'):
         try:
-            interval_str = os.getenv("OAUTH_REFRESH_INTERVAL", "3600")
+            interval_str = os.getenv("OAUTH_REFRESH_INTERVAL", "600")
             self._interval = int(interval_str)
         except ValueError:
-            lib_logger.warning(f"Invalid OAUTH_REFRESH_INTERVAL '{interval_str}'. Falling back to 3600s.")
-            self._interval = 3600
+            lib_logger.warning(f"Invalid OAUTH_REFRESH_INTERVAL '{interval_str}'. Falling back to 600s.")
+            self._interval = 600
         self._client = client
         self._task: Optional[asyncio.Task] = None
 
@@ -46,8 +46,7 @@ class BackgroundRefresher:
         """The main loop for the background task."""
         while True:
             try:
-                await asyncio.sleep(self._interval)
-                lib_logger.info("Running proactive token refresh check...")
+                #lib_logger.info("Running proactive token refresh check...")
 
                 oauth_configs = self._client.get_oauth_credentials()
                 for provider, paths in oauth_configs.items():
@@ -58,6 +57,7 @@ class BackgroundRefresher:
                                 await provider_plugin.proactively_refresh(path)
                             except Exception as e:
                                 lib_logger.error(f"Error during proactive refresh for '{path}': {e}")
+                await asyncio.sleep(self._interval)
             except asyncio.CancelledError:
                 break
             except Exception as e:

src/rotator_library/providers/gemini_auth_base.py

@@ -23,7 +23,7 @@ CLIENT_ID = "681255809395-oo8ft2oprdrnp9e3aqf6av3hmdib135j.apps.googleuserconten
 CLIENT_SECRET = "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" #https://api.kilocode.ai/extension-config.json
 TOKEN_URI = "https://oauth2.googleapis.com/token"
 USER_INFO_URI = "https://www.googleapis.com/oauth2/v1/userinfo"
-REFRESH_EXPIRY_BUFFER_SECONDS = 300
+REFRESH_EXPIRY_BUFFER_SECONDS = 30 * 60  # 30 minutes buffer before expiry
 
 console = Console()
 
@@ -192,7 +192,7 @@ class GeminiAuthBase:
             if not force and not self._is_token_expired(self._credentials_cache.get(path, creds)):
                 return self._credentials_cache.get(path, creds)
 
-            lib_logger.info(f"Refreshing Gemini OAuth token for '{Path(path).name}' (forced: {force})...")
+            lib_logger.debug(f"Refreshing Gemini OAuth token for '{Path(path).name}' (forced: {force})...")
             refresh_token = creds.get("refresh_token")
             if not refresh_token:
                 raise ValueError("No refresh_token found in credentials file.")
@@ -317,7 +317,7 @@ class GeminiAuthBase:
                 # But log it for debugging purposes
 
             await self._save_credentials(path, creds)
-            lib_logger.info(f"Successfully refreshed Gemini OAuth token for '{Path(path).name}'.")
+            lib_logger.debug(f"Successfully refreshed Gemini OAuth token for '{Path(path).name}'.")
             return creds
 
     async def proactively_refresh(self, credential_path: str):

src/rotator_library/providers/iflow_auth_base.py

@@ -414,7 +414,7 @@ class IFlowAuthBase:
 
             creds_from_file = self._credentials_cache[path]
 
-            lib_logger.info(f"Refreshing iFlow OAuth token for '{Path(path).name}'...")
+            lib_logger.debug(f"Refreshing iFlow OAuth token for '{Path(path).name}'...")
             refresh_token = creds_from_file.get("refresh_token")
             if not refresh_token:
                 raise ValueError("No refresh_token found in iFlow credentials file.")
@@ -452,6 +452,9 @@ class IFlowAuthBase:
                     except httpx.HTTPStatusError as e:
                         last_error = e
                         status_code = e.response.status_code
+                        error_body = e.response.text
+
+                        lib_logger.error(f"[REFRESH HTTP ERROR] HTTP {status_code} for '{Path(path).name}': {error_body}")
 
                         # [STATUS CODE HANDLING]
                         if status_code in (401, 403):
@@ -522,7 +525,7 @@ class IFlowAuthBase:
             creds_from_file["_proxy_metadata"]["last_check_timestamp"] = time.time()
 
             await self._save_credentials(path, creds_from_file)
-            lib_logger.info(f"Successfully refreshed iFlow OAuth token for '{Path(path).name}'.")
+            lib_logger.debug(f"Successfully refreshed iFlow OAuth token for '{Path(path).name}'.")
             return creds_from_file
 
     async def get_api_details(self, credential_identifier: str) -> Tuple[str, str]:

src/rotator_library/providers/qwen_auth_base.py

@@ -25,7 +25,7 @@ lib_logger = logging.getLogger('rotator_library')
 CLIENT_ID = "f0304373b74a44d2b584a3fb70ca9e56" #https://api.kilocode.ai/extension-config.json
 SCOPE = "openid profile email model.completion"
 TOKEN_ENDPOINT = "https://chat.qwen.ai/api/v1/oauth2/token"
-REFRESH_EXPIRY_BUFFER_SECONDS = 300
+REFRESH_EXPIRY_BUFFER_SECONDS = 3 * 60 * 60  # 3 hours buffer before expiry
 
 console = Console()
 
@@ -186,9 +186,10 @@ class QwenAuthBase:
 
             creds_from_file = self._credentials_cache[path]
 
-            lib_logger.info(f"Refreshing Qwen OAuth token for '{Path(path).name}'...")
+            lib_logger.debug(f"Refreshing Qwen OAuth token for '{Path(path).name}'...")
             refresh_token = creds_from_file.get("refresh_token")
             if not refresh_token:
+                lib_logger.error(f"No refresh_token found in '{Path(path).name}'")
                 raise ValueError("No refresh_token found in Qwen credentials file.")
 
             # [RETRY LOGIC] Implement exponential backoff for transient errors
@@ -197,6 +198,8 @@ class QwenAuthBase:
             last_error = None
 
             headers = {
+                "Content-Type": "application/x-www-form-urlencoded",
+                "Accept": "application/json",
                 "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
             }
 
@@ -215,6 +218,8 @@ class QwenAuthBase:
                     except httpx.HTTPStatusError as e:
                         last_error = e
                         status_code = e.response.status_code
+                        error_body = e.response.text
+                        lib_logger.error(f"HTTP {status_code} for '{Path(path).name}': {error_body}")
 
                         # [STATUS CODE HANDLING]
                         if status_code in (401, 403):
@@ -265,7 +270,7 @@ class QwenAuthBase:
             creds_from_file["_proxy_metadata"]["last_check_timestamp"] = time.time()
 
             await self._save_credentials(path, creds_from_file)
-            lib_logger.info(f"Successfully refreshed Qwen OAuth token for '{Path(path).name}'.")
+            lib_logger.debug(f"Successfully refreshed Qwen OAuth token for '{Path(path).name}'.")
             return creds_from_file
 
     async def get_api_details(self, credential_identifier: str) -> Tuple[str, str]:

src/rotator_library/usage_manager.py

@@ -105,7 +105,7 @@ class UsageManager:
                     last_reset_dt is None
                     or last_reset_dt < reset_threshold_today <= now_utc
                 ):
-                    lib_logger.info(f"Performing daily reset for key ...{key[-6:]}")
+                    lib_logger.debug(f"Performing daily reset for key ...{key[-6:]}")
                     needs_saving = True
 
                     # Reset cooldowns