Skip to content
AnglinAI Docs

ERR_AUTH_TOKEN_EXPIRED — Auth Token Expired

HTTP Status: 401 Retryable: No Automatic retry: None. The client must obtain a fresh token by re-authenticating.

What the User Sees

Your session has expired. (ERR_AUTH_TOKEN_EXPIRED)

What Causes This Error

The JWT provided in the Authorization header has an expired exp claim, or the JWT signature verification failed. Supabase access tokens expire after 1 hour by default. The frontend should automatically refresh the token via supabase.auth.getSession(), but if the refresh token has also expired (after 7 days of inactivity), the user must re-authenticate.

Signature verification failures can also trigger this error. This happens when: the JWKS keys were rotated by Supabase and the cached keys in middleware/auth.ts are stale (cache TTL is 1 hour), or if the JWT was tampered with.

In rare cases, clock skew between the Cloudflare Worker runtime and the token issuer can cause valid tokens to appear expired. Cloudflare Workers use NTP-synchronized clocks, so this is extremely unlikely but not impossible during infrastructure anomalies.

Resolution Steps

For Users

  1. Sign out and sign in again. This will generate a fresh access token and refresh token.
  2. If you are automatically signed out frequently (more than once per hour), check that your browser is not blocking cookies or local storage for the site.
  3. If using multiple tabs, signing out in one tab may invalidate the session in all tabs.
  4. Ensure your device clock is set to automatic time — manual clock settings can cause token validation issues.

For Administrators

  1. If widespread, check if Supabase rotated JWKS keys. The JWKS cache in middleware/auth.ts has a 1-hour TTL, so new keys will be fetched automatically after the cache expires.
  2. Verify SUPABASE_JWT_SECRET matches the JWT secret in Supabase Dashboard > Settings > API.
  3. Check the JWKS endpoint is accessible:
    Terminal window
    curl https://vuvwmfxssjosfphzpzim.supabase.co/auth/v1/.well-known/jwks.json
  4. If the JWT secret was changed in Supabase, update the SUPABASE_JWT_SECRET Worker secret and redeploy.
  5. Monitor the frequency of this error in Grafana. A spike may indicate a JWKS rotation or Supabase auth configuration change.