Bolt auth

JWT Token Validation Fails - Invalid Signature or Expiration

API requests fail with JWT verification errors even though the token appears valid. Tokens work initially but fail after some time or across different server instances.

Symptoms include immediate '401 Unauthorized' on API calls, 'JsonWebTokenError: invalid signature', or tokens expiring immediately after issue.

Error Messages You Might See

JsonWebTokenError: invalid signature Error: Token used before valid TokenExpiredError: jwt expired 401 Unauthorized: Invalid token
JsonWebTokenError: invalid signatureError: Token used before validTokenExpiredError: jwt expired401 Unauthorized: Invalid token

Common Causes

  1. Secret key mismatch between token creation and verification
  2. JWT expires too quickly or has wrong expiration time
  3. Token created with different secret than verification uses
  4. Multiple server instances using different secrets
  5. Clock skew between client and server causing 'not yet valid' errors

How to Fix It

Store JWT secret in environment variable and use identical value for both signing and verification

Set reasonable expiration: 15min for access token, 7d for refresh token

Implement token refresh: when access token expires, use refresh token to get new one without user re-logging in

Real developers can help you.

Jared Hasson Jared Hasson Full time lead founding dev at a cyber security saas startup, with 10 yoe and a bachelor's in CS. Building & debugging software products is what I've spent my time on for forever Richard McSorley Richard McSorley Full-Stack Software Engineer with 8+ years building high-performance applications for enterprise clients. Shipped production systems at Walmart (4,000+ stores), Cigna (20M+ users), and Arkansas Blue Cross. 5 patents in retail/supply chain tech. Currently focused on AI integrations, automation tools, and TypeScript-first architectures. Alvin Voo Alvin Voo I’ve watched the tech landscape evolve over the last decade—from the structured days of Java Server Pages to the current "wild west" of Agentic-driven development. While AI can "vibe" a frontend into existence, I specialize in the architecture that keeps it from collapsing. My expertise lies in the critical backend infrastructure: the parts that must be fast, secure, and scalable. I thrive on high-pressure environments, such as when I had only three weeks to architect and launch an Ethereum redemption system with minimal prior crypto knowledge, turning it into a major revenue stream. What I bring to your project: Forensic Debugging: I don't just "patch" bugs; I use tools like Datadog and Explain Analyzers to map out bottlenecks and resolve root causes—like significantly reducing memory usage by optimizing complex DB joins. Full-Stack Context: Deep experience in Node.js and React, ensuring backends play perfectly with mobile and web teams. Sanity in the Age of AI: I bridge the gap between "best practices" and modern speed, ensuring your project isn't just built fast, but built to last. Luca Liberati Luca Liberati I work on monoliths and microservices, backends and frontends, manage K8s clusters and love to design apps architecture Victor Denisov Victor Denisov Developer Daniel Vázquez Daniel Vázquez Software Engineer with over 10 years of experience on Startups, Government, big tech industry & consulting. Stanislav Prigodich Stanislav Prigodich 15+ years building iOS and web apps at startups and enterprise companies. I want to use that experience to help builders ship real products - when something breaks, I'm here to fix it. Rudra Bhikadiya Rudra Bhikadiya I build and fix web apps across Next.js, Node.js, and DBs. Comfortable jumping into messy code, broken APIs, and mysterious bugs. If your project works in theory but not in reality, I help close that gap. rayush33 rayush33 JavaScript (React.js, React Native, Node.js) Developer with demonstrated industry experience of 4+ years, actively looking for opportunities to hone my skills as well as help small-scale business owners with solutions to technical problems Franck Plazanet Franck Plazanet I am a Strategic Engineering Leader with over 8 years of experience building high-availability enterprise systems and scaling high-performing technical teams. My focus is on bridging the gap between complex technology and business growth. Core Expertise: 🚀 Leadership: Managing and coaching teams of 15+ engineers, fostering a culture of accountability and continuous improvement. 🏗️ Architecture: Enterprise Core Systems, Multi-system Integration (ERP/API/ETL), and Core Database Structure. ☁️ Cloud & Scale: AWS Expert; architected systems handling 10B+ monthly requests and managing 100k+ SKUs. 📈 Business Impact: Aligning tech strategy with P&L goals to drive $70k+ in monthly recurring revenue. I thrive on "out-of-the-box" thinking to solve complex technical bottlenecks and am always looking for ways to use automation to improve business productivity.

You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.

Get Help

Frequently Asked Questions

What's a good JWT expiration time?

Access tokens: 15 minutes. Refresh tokens: 7 days. This balances security with user experience

How do I implement token refresh?

Store refresh token in secure httpOnly cookie. When access token expires, send refresh token to /api/refresh endpoint to get new access token

Why does my token fail on different servers?

Ensure all server instances use the same JWT secret from environment variables

Related Bolt Issues

OAuth2 Provider Not Configured - Missing Client ID

auth

Session Lost on Page Refresh - Auth State Not Persisting

auth

Protected Routes Redirecting Unauthenticated Users Incorrectly

auth

Infinite Redirect Loop - Auth Redirect Not Ending

auth

Can't fix it yourself?
Real developers can help.

You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.

Get Help