Using the Nuxeo JS Client through Node, and using the Portal authentication, I've noticed something I'm unsure is intended or not.
When one configures a new auth secret key, there's a time expiration. Looking at the code that checks the token generated from the secret key, it's checking the current time versus the time of the request, and then checking it against the allowed time (GitHub link), however, the JS Client only generates the token 1 time (GitHub link) and has no method or way to re-generate it, nor does the client have a destroy/disconnect method.
This means that in your application, if you create a new instance of the Nuxeo Client, it's only going to work up until the maxAge is reached, and then start throwing an unauthenticated error (as a side, the error handling for an invalid token seems a bit light as it contains no reason, GitHub link).
The solution of course is to generate the token yourself and updating the relevant headers (NS_TS and NX_TOKEN) on every request.
I'm unsure if this is intended behavior or not, though I'm inclined to think it's not since there is no method to either re-generate the token nor to recycle the connection in order to create a new one.
As a final note, finding documentation on how to formulate the token was a bit more difficult to find than desired, as the API authentication page on your Documentation site doesn't document all the ways you can authenticate: http://doc.nuxeo.com/display/NXDOC/Authenticating+the+requests
