How can an app easily detect that an home user token is expired when access from LAN is allowed without auth ?
From my tests and users reports, when the token expires, the server switch to using the admin account without any notification and causes issues.
Can you explain the situation where you want to do any of this?
Without “allow access without authentication”, any access to Plex endpoints without a valid token should result in a 401 Unauthorised response.
When you enable the “allow access without authentication”, then, well, access from that IP address or Address range will bypass the authentication because you configured that those devices do not need authentication.
Furthermore, that bypass does not use the admin account. This is a dummy account that is separate from your normal user account, which is the admin of the Plex server, since you cannot (or don’t want to) authenticate with that user account.
This “authentication bypass” should usually only be used for when you don’t have access to your account.
I don’t want anything 
This is what my users want and do to be able to always connect when Plex.tv is down.
If you pass a valid token even without auth it’s used, when the token expires it automatically fallback to another account and there’s AFAIK no endpoint to check if the token is still valid to get a new one.
You are deceiving 2 separate things. If you enable access without authentication, tokens do not play a role. If a token is sent from an ip that does not require authentication, the token gets ignored. Without a token, pms will treat the request as being from the admin account. You cannot allow access to pms from a user account with an expired token. There is no backup for this.
Why is the token expired? The token should only expire if the user logs out from the client or they changed their password and chose to log out of all devices.
Plex.tv being offline does not cause the token to expire. Pms and clients will cache the token so it should still be valid even if plex.tv is down.
Of course that’s why if you put your lan IP in List of IP addresses and networks that are allowed without auth you can’t use home accounts and managed accounts, because all the tokens are ignored and the switch users in plex apps just stops working
And people enable that setting to avoid issue when plex.tv is down, never said it would have any impact on the tokens, just the reason why they use that option.
Ok. If you understand how tokens work, what is your ask?
If it has to do with accessing your server when plex.tv is down, it should just work. If not, either there is a bug or the user tried logging out and back in thinking it was on their end and ended up getting locked out. If this is the case, not sure how you can show access if a user specifically logs out.
The ask is well the first sentence of the first post ? 
When the token expires, Plex switch to no auth mostly as expected, but I need an endpoint to know that the token is expired to get a new one or properly show the user that he needs to authenticate again and not have wrong data from not his account shown.
That is incorrect. If the token is expired, it won’t connect. If you enable unauthenticated access, the token doesn’t matter. You either need a token or you don’t.
Checking if a token is valid is the same as checking if it’s expired. Positive vs negative. If the token is invalid, the client should already show a message that the token has expired unless you’re using a custom client of some sort. You can test this my removing access to a client from plex web. The next time that client loads, you should see the message.
Seriously thanks for trying to help, but this is the dev section, I’m a dev I write media center related apps since a decade and perfectly understand how things works.
You should read again what you wrote and see the problem that is resumed in the first sentence of the first post.
Sadly, this likely be marked as wontfix, as Plex authentication API is hybrid and confusing, or at least that how i understand it
1- Tokens are generated via plex api not locally.
2- when you switch home/managed user, the server ask plex to generate token.
3- the issue arise due to the fact that plex server api doesn’t have User identifier user is identified by a token. thus, when token expires it simply fallback to default 1 user. which this case is most likely the admin of the server due to auth being turned off.
Unless major redesign of the API is on the table, your best best is to simply refuse to work if plex.tv api is down for users other than admin as simply there isn’t a way to generate token locally.
This could be solved simply by you know? having API keys instead of those tokens. then you would have
1- users list locally.
2- identify user by their IDs.
3- access their data by setting for example X-Plex-User=1&X-Plex-APIKey=random_bits.
This would solve many local problems but afaik there are no plans to do so.
The actual problem is only 3. There’s no reasons to call plex.tv on each start of the app to check or generate a token as it consume data, cpu and is error prone if plex.tv is not reachable.
There just need to have an endpoint on the server to test the token even if lan auth is disabled, to detect the issue in an efficient way. And have clients able to react. (Either get a new token, show an error, …) Anything but fallback to another user and mixing data without a way to properly detect.
But your comment actually gave me an idea, the /user endpoint does return the user id/uuid associated with the token, I guess if there’s fallback for that endpoint too it would actually give the wrong uuid too and could use that to detect the issue.
Will need to test when I get a little free time.
