diff --git a/surfsense_web/components/tool-ui/sandbox-execute.tsx b/surfsense_web/components/tool-ui/sandbox-execute.tsx
index 535968908..2bac3e1ca 100644
--- a/surfsense_web/components/tool-ui/sandbox-execute.tsx
+++ b/surfsense_web/components/tool-ui/sandbox-execute.tsx
@@ -16,7 +16,7 @@ import { z } from "zod";
 import { Badge } from "@/components/ui/badge";
 import { Button } from "@/components/ui/button";
 import { Collapsible, CollapsibleContent, CollapsibleTrigger } from "@/components/ui/collapsible";
-import { getDesktopAccessToken } from "@/lib/auth-fetch";
+import { authenticatedFetch } from "@/lib/auth-fetch";
 import { buildBackendUrl } from "@/lib/env-config";
 import { cn } from "@/lib/utils";
 
@@ -157,14 +157,10 @@ function truncateCommand(command: string, maxLen = 80): string {
 // ============================================================================
 
 async function downloadSandboxFile(threadId: string, filePath: string, fileName: string) {
-	const token = await getDesktopAccessToken();
 	const url = buildBackendUrl(`/api/v1/threads/${threadId}/sandbox/download`, {
 		path: filePath,
 	});
-	const res = await fetch(url, {
-		headers: token ? { Authorization: `Bearer ${token}` } : undefined,
-		credentials: "include",
-	});
+	const res = await authenticatedFetch(url);
 	if (!res.ok) {
 		throw new Error(`Download failed: ${res.statusText}`);
 	}
diff --git a/surfsense_web/lib/apis/base-api.service.ts b/surfsense_web/lib/apis/base-api.service.ts
index 5afb291ba..0cc5224e2 100644
--- a/surfsense_web/lib/apis/base-api.service.ts
+++ b/surfsense_web/lib/apis/base-api.service.ts
@@ -1,4 +1,5 @@
 import type { ZodType } from "zod";
+import { getDesktopAccessToken } from "@/lib/auth-fetch";
 import { buildBackendUrl } from "@/lib/env-config";
 import { getClientPlatform } from "../agent-filesystem";
 import { handleUnauthorized, refreshSession } from "../auth-utils";
@@ -59,11 +60,6 @@ class BaseApiService {
 		return typeof window !== "undefined" && !!window.electronAPI;
 	}
 
-	private async getDesktopAccessToken(): Promise<string> {
-		if (!this.isDesktopClient) return "";
-		return (await window.electronAPI?.getAccessToken?.()) || "";
-	}
-
 	async request<T, R extends ResponseType = ResponseType.JSON>(
 		url: string,
 		responseSchema?: ZodType<T>,
@@ -90,7 +86,7 @@ class BaseApiService {
 				this.noAuthPrefixes.some((prefix) => url.startsWith(prefix)) ||
 				/^\/api\/v1\/invites\/[^/]+\/info$/.test(url);
 			const desktopAccessToken =
-				this.isDesktopClient && !isNoAuthEndpoint ? await this.getDesktopAccessToken() : "";
+				this.isDesktopClient && !isNoAuthEndpoint ? (await getDesktopAccessToken()) || "" : "";
 			const defaultOptions: RequestOptions = {
 				headers: {
 					...(desktopAccessToken ? { Authorization: `Bearer ${desktopAccessToken}` } : {}),
@@ -174,7 +170,9 @@ class BaseApiService {
 					} else if (!isNoAuthEndpoint && !isRefreshRetryBlocked(refreshRetryKey)) {
 						const refreshed = await refreshSession();
 						if (refreshed) {
-							const newToken = this.isDesktopClient ? await this.getDesktopAccessToken() : "";
+							const newToken = this.isDesktopClient
+								? (await getDesktopAccessToken({ forceRefresh: true })) || ""
+								: "";
 							return this.request(url, responseSchema, {
 								...mergedOptions,
 								headers: {