For handling a typical oauth flow from my server where I get a 401 and then I want to try to use my refresh token to get a new access token. Best to just handle in an interceptor (network or application) or just use the authenticator apis in okhttp?

Application interceptor. Network interceptors need exactly 1 request. And if you need to set headers in first place why wait for the initial 401.

thanks for the pointer on the application interceptor. I don't understand you second point though

And if you need to set headers in first place why wait for the initial 401.

Can you rephrase?

Ahh, yep. Authenticator API triggers on a 401. So when you know a request requires auth, and may also require a refresh you can save that initial (non refresh request) by putting that logic in an interceptor that does both.