fix: accept opaque UiPath reference tokens (rt_) as access token

UiPath Coded Agents can authenticate with reference tokens (rt_...),
which are opaque handles rather than JWTs. PlatformSettings previously
rejected them with "Invalid access token: expected JWT with at least 2
dot-separated parts" because validation assumed every token is a JWT.

Add is_reference_token() helper; is_token_expired() now returns False
for reference tokens (they cannot be introspected) and the settings
validator skips client_id extraction for them.

Bumps core and langchain to 1.13.1.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: cosminacho

packages/uipath_langchain_client/CHANGELOG.md

@@ -2,6 +2,11 @@
 
 All notable changes to `uipath_langchain_client` will be documented in this file.
 
+## [1.13.1] - 2026-06-09
+
+### Fixed
+- Picks up the core `uipath-llm-client` 1.13.1 fix allowing opaque UiPath reference tokens (`rt_...`) as `UIPATH_ACCESS_TOKEN`, so LangChain clients built on `PlatformSettings` no longer fail validation with "Invalid access token: expected JWT with at least 2 dot-separated parts".
+
 ## [1.13.0] - 2026-05-27
 
 ### Changed

packages/uipath_langchain_client/pyproject.toml

@@ -6,7 +6,7 @@ readme = "README.md"
 requires-python = ">=3.11"
 dependencies = [
     "langchain>=1.2.15,<2.0.0",
-    "uipath-llm-client>=1.13.0,<2.0.0",
+    "uipath-llm-client>=1.13.1,<2.0.0",
 ]
 
 [project.optional-dependencies]

packages/uipath_langchain_client/src/uipath_langchain_client/__version__.py

@@ -1,3 +1,3 @@
 __title__ = "UiPath LangChain Client"
 __description__ = "A Python client for interacting with UiPath's LLM services via LangChain."
-__version__ = "1.13.0"
+__version__ = "1.13.1"

src/uipath/llm_client/__version__.py

@@ -1,3 +1,3 @@
 __title__ = "UiPath LLM Client"
 __description__ = "A Python client for interacting with UiPath's LLM services."
-__version__ = "1.13.0"
+__version__ = "1.13.1"

src/uipath/llm_client/settings/platform/settings.py

@@ -30,7 +30,11 @@
 
 from uipath.llm_client.settings.base import UiPathAPIConfig, UiPathBaseSettings
 from uipath.llm_client.settings.constants import ApiType, RoutingMode
-from uipath.llm_client.settings.platform.utils import is_token_expired, parse_access_token
+from uipath.llm_client.settings.platform.utils import (
+    is_reference_token,
+    is_token_expired,
+    parse_access_token,
+)
 
 
 class PlatformBaseSettings(UiPathBaseSettings):
@@ -81,8 +85,11 @@ def validate_environment(self) -> Self:
                 "Access token is expired. Try running `uipath auth` to refresh the token."
             )
 
-        parsed_token_data = parse_access_token(access_token)
-        self.client_id = parsed_token_data.get("client_id")
+        # Reference tokens (rt_...) are opaque and carry no client-readable
+        # claims, so there is nothing to extract.
+        if not is_reference_token(access_token):
+            parsed_token_data = parse_access_token(access_token)
+            self.client_id = parsed_token_data.get("client_id")
         return self
 
     @staticmethod

src/uipath/llm_client/settings/platform/utils.py

@@ -3,6 +3,19 @@
 import time
 from typing import Any
 
+# UiPath reference tokens (e.g. ``rt_abc...``) are opaque handles, not JWTs.
+# They cannot be split, decoded, or introspected client-side.
+REFERENCE_TOKEN_PREFIX = "rt_"
+
+
+def is_reference_token(access_token: str) -> bool:
+    """Return True if the token is an opaque UiPath reference token (``rt_...``).
+
+    Reference tokens are not JWTs and carry no client-readable payload, so
+    expiry checks and claim extraction must be skipped for them.
+    """
+    return access_token.startswith(REFERENCE_TOKEN_PREFIX)
+
 
 def parse_access_token(access_token: str) -> dict[str, Any]:
     """Parse a JWT access token and return the payload as a dict.
@@ -33,8 +46,11 @@ def is_token_expired(token: str) -> bool:
         token: A JWT token string.
 
     Returns:
-        True if the token is expired, False if it is still valid or has no ``exp`` claim.
+        True if the token is expired, False if it is still valid, has no ``exp``
+        claim, or is an opaque reference token whose expiry cannot be inspected.
     """
+    if is_reference_token(token):
+        return False
     token_data = parse_access_token(token)
     exp = token_data.get("exp")
     if exp is None:

tests/core/features/settings/test_platform.py

@@ -250,6 +250,19 @@ def test_validation_fails_on_expired_token(self):
                 with pytest.raises(ValueError, match="Access token is expired"):
                     PlatformSettings()
 
+    def test_reference_token_is_accepted(self):
+        """Opaque reference tokens (rt_...) are accepted without JWT parsing."""
+        env = {
+            "UIPATH_ACCESS_TOKEN": "rt_abc123",
+            "UIPATH_URL": "https://cloud.uipath.com/org/tenant",
+            "UIPATH_TENANT_ID": "test-tenant-id",
+            "UIPATH_ORGANIZATION_ID": "test-org-id",
+        }
+        with patch.dict(os.environ, env, clear=True):
+            settings = PlatformSettings()
+            assert settings.access_token.get_secret_value() == "rt_abc123"
+            assert settings.client_id is None
+
     def test_validate_byo_model_is_noop(self, platform_env_vars, mock_platform_auth):
         """Test validate_byo_model does nothing (no-op)."""
         with patch.dict(os.environ, platform_env_vars, clear=True):

tests/core/features/test_platform_utils.py

@@ -6,7 +6,11 @@
 
 import pytest
 
-from uipath.llm_client.settings.platform.utils import is_token_expired, parse_access_token
+from uipath.llm_client.settings.platform.utils import (
+    is_reference_token,
+    is_token_expired,
+    parse_access_token,
+)
 
 
 class TestParseAccessToken:
@@ -69,3 +73,16 @@ def test_missing_exp_claim(self):
         token = f"header.{encoded_payload}.signature"
 
         assert is_token_expired(token) is False
+
+    def test_reference_token_not_expired(self):
+        # Opaque reference tokens cannot be introspected, so they are never
+        # treated as expired (and must not raise during parsing).
+        assert is_token_expired("rt_abc123") is False
+
+
+class TestIsReferenceToken:
+    def test_reference_token(self):
+        assert is_reference_token("rt_abc123") is True
+
+    def test_jwt_is_not_reference_token(self):
+        assert is_reference_token("header.payload.signature") is False