Bolt auth

JWT Token Validation Fails - Invalid Signature or Expiration

API requests fail with JWT verification errors even though the token appears valid. Tokens work initially but fail after some time or across different server instances.

Symptoms include immediate '401 Unauthorized' on API calls, 'JsonWebTokenError: invalid signature', or tokens expiring immediately after issue.

Error Messages You Might See

JsonWebTokenError: invalid signature Error: Token used before valid TokenExpiredError: jwt expired 401 Unauthorized: Invalid token
JsonWebTokenError: invalid signatureError: Token used before validTokenExpiredError: jwt expired401 Unauthorized: Invalid token

Common Causes

  1. Secret key mismatch between token creation and verification
  2. JWT expires too quickly or has wrong expiration time
  3. Token created with different secret than verification uses
  4. Multiple server instances using different secrets
  5. Clock skew between client and server causing 'not yet valid' errors

How to Fix It

Store JWT secret in environment variable and use identical value for both signing and verification

Set reasonable expiration: 15min for access token, 7d for refresh token

Implement token refresh: when access token expires, use refresh token to get new one without user re-logging in

Real developers can help you.

Rudra Bhikadiya Rudra Bhikadiya I build and fix web apps across Next.js, Node.js, and DBs. Comfortable jumping into messy code, broken APIs, and mysterious bugs. If your project works in theory but not in reality, I help close that gap. Richard McSorley Richard McSorley Full-Stack Software Engineer with 8+ years building high-performance applications for enterprise clients. Shipped production systems at Walmart (4,000+ stores), Cigna (20M+ users), and Arkansas Blue Cross. 5 patents in retail/supply chain tech. Currently focused on AI integrations, automation tools, and TypeScript-first architectures. Matthew Butler Matthew Butler Systems Development Engineer @ Amazon Web Services rayush33 rayush33 JavaScript (React.js, React Native, Node.js) Developer with demonstrated industry experience of 4+ years, actively looking for opportunities to hone my skills as well as help small-scale business owners with solutions to technical problems PawelPloszaj PawelPloszaj I'm fronted developer with 10+ years of experience with big projects. I have small backend background too Simon A. Simon A. I'm a backend developer building APIs, emulators, and interactive game systems. Professionally, I've developed Java/Spring reporting solutions, managed relational and NoSQL databases, and implemented CI/CD workflows. Matt Butler Matt Butler Software Engineer @ AWS Mehdi Ben Haddou Mehdi Ben Haddou - Founder of Chessigma (1M+ users) & many small projects - ex Founding Engineer @Uplane (YC F25) - ex Software Engineer @Amazon and @Booking.com hanson1014 hanson1014 Full-stack developer experienced in fixing and deploying AI-generated apps from Lovable, Bolt.new, Cursor, and Replit. I specialize in debugging Supabase integration issues (auth flows, RLS policies, database connections), fixing broken deployments, resolving routing/blank screen problems, and cleaning up messy React/Vite codebases. I also build production apps with the Claude API and have shipped a Mac desktop dev tool (Nexterm from scratch. Based in Hong Kong, fast turnaround. Sage Fulcher Sage Fulcher Hey I'm Sage! Im a Boston area software engineer who grew up in South Florida. Ive worked at a ton of cool places like a telehealth kidney care startup that took part in a billion dollar merger (Cricket health/Interwell health), a boutique design agency where I got to work on a ton of exciting startups including a photography education app, a collegiate Esports league and more (Philosophie), a data analytics as a service startup in Cambridge (MA) as well as at Phillips and MIT Lincoln Lab where I designed and developed novel network security visualizations and analytics. I've been writing code and furiously devoted to using computers to make people’s lives easier for about 17 years. My degree is in making computers make pretty lights and sounds. Outside of work I love hip hop, the Celtics, professional wrestling, magic the gathering, photography, drumming, and guitars (both making and playing them)

You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.

Get Help

Frequently Asked Questions

What's a good JWT expiration time?

Access tokens: 15 minutes. Refresh tokens: 7 days. This balances security with user experience

How do I implement token refresh?

Store refresh token in secure httpOnly cookie. When access token expires, send refresh token to /api/refresh endpoint to get new access token

Why does my token fail on different servers?

Ensure all server instances use the same JWT secret from environment variables

Related Bolt Issues

OAuth2 Provider Not Configured - Missing Client ID

auth

Session Lost on Page Refresh - Auth State Not Persisting

auth

Protected Routes Redirecting Unauthenticated Users Incorrectly

auth

Infinite Redirect Loop - Auth Redirect Not Ending

auth

Can't fix it yourself?
Real developers can help.

You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.

Get Help