When ValidateToken detects a rate limit (403 with rate-limit headers or 429), it returns "valid" without actually confirming the token with the provider. Nothing logs or metrics this, so operators cannot distinguish "provider confirmed the token" from "we assumed it was valid because we were rate-limited."
Context: coder/coder#24334
🤖 Generated with the help of Coder Agents on behalf of @mafredri.
When
ValidateTokendetects a rate limit (403 with rate-limit headers or 429), it returns "valid" without actually confirming the token with the provider. Nothing logs or metrics this, so operators cannot distinguish "provider confirmed the token" from "we assumed it was valid because we were rate-limited."Context: coder/coder#24334