I'm just looking at the API response waiting for a HTTP 401 which then triggers the script to request a new token then sends the same order again with the new bearer token - is this sane?

Sounds reasonable, hopefully you get a different error code if your credentials are revoked

Yes, if your code is modular.

You can probably add onto it if you need to manage the token more closely

If it were me, I'd have a separate API client class that handled authentication including token refresh behind the scenes - that sort of stuff shouldn't leak into your main business logic.

Same error code for bad auth or expired auth