Bolt auth

JWT Token Validation Fails - Invalid Signature or Expiration

API requests fail with JWT verification errors even though the token appears valid. Tokens work initially but fail after some time or across different server instances.

Symptoms include immediate '401 Unauthorized' on API calls, 'JsonWebTokenError: invalid signature', or tokens expiring immediately after issue.

Error Messages You Might See

JsonWebTokenError: invalid signature Error: Token used before valid TokenExpiredError: jwt expired 401 Unauthorized: Invalid token
JsonWebTokenError: invalid signatureError: Token used before validTokenExpiredError: jwt expired401 Unauthorized: Invalid token

Common Causes

  1. Secret key mismatch between token creation and verification
  2. JWT expires too quickly or has wrong expiration time
  3. Token created with different secret than verification uses
  4. Multiple server instances using different secrets
  5. Clock skew between client and server causing 'not yet valid' errors

How to Fix It

Store JWT secret in environment variable and use identical value for both signing and verification

Set reasonable expiration: 15min for access token, 7d for refresh token

Implement token refresh: when access token expires, use refresh token to get new one without user re-logging in

Real developers can help you.

Costea Adrian Costea Adrian Embedded Engineer specilizing in perception systems. Latest project was a adas camera calibration system. legrab legrab I'll fill this later Jacek Rozanski Jacek Rozanski Senior PHP/Symfony developer and DevOps engineer with 20+ years of professional experience, running opcode.pl (web development agency, est. 2004). Day job: I'm the sole backend developer at merketing company where I own and maintain 11 PHP/Symfony microservices on AWS (ECS Fargate, RDS, S3, CloudFront), handle the full CI/CD pipeline (Bitbucket Pipelines, Docker), and manage monitoring with Sentry and CloudWatch. These services handle high request volumes in production every month. What I bring to AI-built apps: - I audit and fix security issues (OWASP methodology), performance bottlenecks, and architectural problems in codebases generated by Cursor, Claude Code, Lovable, Bolt, and v0 - I refactor AI-generated prototypes into production-grade applications with proper error handling, testing, and clean architecture (SOLID, DDD, hexagonal architecture) - I set up the infrastructure AI tools don't touch: AWS hosting, CI/CD pipelines, automated deployments, database optimization, monitoring, and alerting - I integrate external services: payment providers, email systems, partner APIs, SSO/auth Tech stack: PHP 8.x, Symfony, React, Next.js, PostgreSQL, MySQL, Docker, AWS (ECS, RDS, S3, SQS/SNS, CloudFront), Terraform, Supabase. I also use AI tools daily (Claude Code, Cursor) in my own workflow, so I understand both the strengths and the gaps in AI-generated code. Based in Poland (CET timezone). Available for async work and calls during EU/US business hours. Meïr Ankri Meïr Ankri Full-stack developer specializing in React / Next.js / Node.js with 6+ years of experience. I've worked across various sectors including automotive (Reezocar/Société Générale), healthcare (Medical Link SaaS), and e-commerce (Glasman). I build web apps end-to-end, from architecture to production, with a focus on scalability, performance, and code quality. I also mentor junior developers and contribute to technical decisions and code reviews. Caio Rodrigues Caio Rodrigues I'm a full-stack developer focused on building practical and scalable web applications. My main experience is with **React, TypeScript, and modern frontend architectures**, where I prioritize clean code, component reusability, and maintainable project structures. I have strong experience working with **dynamic forms, state management (Redux / React Hook Form), and complex data-driven interfaces**. I enjoy solving real-world problems by turning ideas into reliable software that companies can actually use in their daily operations. Beyond coding, I care about **software quality and architecture**, following best practices for componentization, code organization, and performance optimization. I'm also comfortable working across the stack when needed, integrating APIs, handling business logic, and helping transform prototypes into production-ready systems. My goal is always to deliver solutions that are **simple, efficient, and genuinely useful for the people using them.** Taufan Taufan I’m a product-focused engineer and tech leader who builds scalable systems and turns ideas into production-ready platforms. Over the past years, I’ve worked across startups and fast-moving teams, leading backend architecture, improving system reliability, and shipping products used by thousands of users. My strength is not just writing code — but connecting product vision, technical execution, and business impact. Prakash Prajapati Prakash Prajapati I’m a Senior Python Developer specializing in building secure, scalable, and highly available systems. I work primarily with Python, Django, FastAPI, Docker, PostgreSQL, and modern AI tooling such as PydanticAI, focusing on clean architecture, strong design principles, and reliable DevOps practices. I enjoy solving complex engineering problems and designing systems that are maintainable, resilient, and built to scale. hanson1014 hanson1014 Full-stack developer experienced in fixing and deploying AI-generated apps from Lovable, Bolt.new, Cursor, and Replit. I specialize in debugging Supabase integration issues (auth flows, RLS policies, database connections), fixing broken deployments, resolving routing/blank screen problems, and cleaning up messy React/Vite codebases. I also build production apps with the Claude API and have shipped a Mac desktop dev tool (Nexterm from scratch. Based in Hong Kong, fast turnaround. Mehdi Ben Haddou Mehdi Ben Haddou - Founder of Chessigma (1M+ users) & many small projects - ex Founding Engineer @Uplane (YC F25) - ex Software Engineer @Amazon and @Booking.com Omar Faruk Omar Faruk As a Product Engineer at Klasio, I contributed to end-to-end product development, focusing on scalability, performance, and user experience. My work spanned building and refining core features, developing dynamic website templates, integrating secure and reliable payment gateways, and optimizing the overall system architecture. I played a key role in creating a scalable and maintainable platform to support educators and learners globally. I'm enthusiastic about embracing new challenges and making meaningful contributions.

You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.

Get Help

Frequently Asked Questions

What's a good JWT expiration time?

Access tokens: 15 minutes. Refresh tokens: 7 days. This balances security with user experience

How do I implement token refresh?

Store refresh token in secure httpOnly cookie. When access token expires, send refresh token to /api/refresh endpoint to get new access token

Why does my token fail on different servers?

Ensure all server instances use the same JWT secret from environment variables

Related Bolt Issues

OAuth2 Provider Not Configured - Missing Client ID

auth

Session Lost on Page Refresh - Auth State Not Persisting

auth

Protected Routes Redirecting Unauthenticated Users Incorrectly

auth

Infinite Redirect Loop - Auth Redirect Not Ending

auth

Can't fix it yourself?
Real developers can help.

You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.

Get Help