Sometimes I see this:
failed to create Gitea client: failed to refresh token: oauth2: unauthorized client: token was already used
Sound like a race condition when refreshing a token.
I'm also seeing "failed to create Gitea client: failed to refresh token: oauth2: unauthorized client: unable to parse refresh token" in a project right now, not sure that's related to this one.