This isn't such a big issue since we cache all API calls immediately on login, but it's still a good idea to have some functionality to refresh tokens somewhere in the app. There is also no error handling for OAuthExceptions in the rc.get calls sprinkled in api.py

The new personal access tokens 🔒 allow applications to make API calls unrelated to a given login, and in my experience the OAuth login flow is quick enough that it can be redone as needed without too much user impact. I think we could close this.