Cannot modify JWT to refresh access_token

[rhufsky]

x^### Environment

  System:
    OS: macOS 15.2
    CPU: (8) arm64 Apple M1 Pro
    Memory: 93.78 MB / 16.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 22.14.0 - /opt/homebrew/opt/node@22/bin/node
    Yarn: 1.22.22 - /opt/homebrew/bin/yarn
    npm: 10.9.2 - /opt/homebrew/opt/node@22/bin/npm
    bun: 1.2.10 - /opt/homebrew/bin/bun
  Browsers:
    Chrome: 135.0.7049.114
    Safari: 18.2
  npmPackages:
    @auth/prisma-adapter: ^2.9.0 => 2.9.0 
    next: 15.3.1 => 15.3.1 
    next-auth: ^5.0.0-beta.26 => 5.0.0-beta.26 
    react: ^19.1.0 => 19.1.0 

Reproduction URL

https://github.com/rhufsky/authdemo

Describe the issue

Cannot update JWT after initial creation at login time, shown by a simplified example. In the current state, it seems that I am unable to implement token refresh as described in https://authjs.dev/guides/refresh-token-rotation.

How to reproduce

Login and watch the jwt() callback. As a sample I create an arbitrary property status and set it to "INITIAL" at the first invocation of jwt().

When jwt() is invoked for a second time, it returns a token with status: "REFRESH".

The new value is never persisted, at the third invocation of jwt(), status is still "INITIAL".

    async jwt({ token, user, account, profile }) {
      console.log(token);
      if (account && profile && user) {
        console.log("INITIAL JWT");
        return {
          ...token,
          status: "INITIAL",
        };
      } else {
        console.log("SUBSQUENT JWT");

        return { ...token, status: "REFRESH" };
      }
    },

Expected behavior

After every invocation of jwt() the returned token should be persisted.

[slickroot]

I spent 2 days thinking I was doing something wrong, until I made a small example also, the token never updates.

    async jwt({ token, account, user }) {
      console.log('JWT', token)
      if (account && user) {
        console.log('First time')
        token.iteration = 0
        token.expires_at = Math.floor(Date.now() / 1000 + 60)
      }

      if (Date.now() < token.expires_at * 1000) {
        console.log('Still good')
        return token
      }

      console.log('expired')
      return {
        ...token,
        iteration: token.iteration + 1,
        expires_at: Math.floor(Date.now() / 1000 + 60)
      }
    },

After one minute, I just keep seeing expired, and token.iteration never increments, is there a work around to solve this?

next-auth version is: 4.24.11

[rhufsky]

As far as i understand, the docs say that when you update the JWT in jwt() and return the updated JWT from jwt() the new JWT is "persisted" in that the browser sends the updated JWT with the next request.

This works when jwt() is called for the first time after login.

In any further invocations it seems to that even if you update the JWT and return the updated JWT from jwt(), the JWT is not persisted and the browser keeps sending the original JWT. This makes things like refreshing an access token impossible.

The only way i can think of is keeping access token and refresh token in a database table and manage it from there but this defeats the purpose of having JWTs.

[TwoWheelDev]

This is also present in the latest beta version: next-auth@5.0.0-beta.25

Spent the last few hours trying to work out why my token refresh was always triggering!

[8lane]

Seeing this too in next-auth@5.0.0-beta.25. Cannot refresh access token using JWT strategy. Code is identical to the guide https://authjs.dev/guides/refresh-token-rotation?framework=next-js

[TwoWheelDev]

This is also present in the latest beta version: next-auth@5.0.0-beta.25

Spent the last few hours trying to work out why my token refresh was always triggering!

So fast forward a few hours... and it's working for me now 😕

[8lane]

This is also present in the latest beta version: next-auth@5.0.0-beta.25
Spent the last few hours trying to work out why my token refresh was always triggering!

So fast forward a few hours... and it's working for me now 😕

Mind showing your auth.ts? I've given up after reading various other threads saying token refresh is not possible with app router + next-auth. I have managed to get it working with middleware though.

[philyboysmith]

I spent hours trying to investigate this. In the end I've given up and rolled my own auth using iron session

[TwoWheelDev]

Mind showing your auth.ts? I've given up after reading various other threads saying token refresh is not possible with app router + next-auth. I have managed to get it working with middleware though.

@8lane Here's a gist of my auth.ts (I make no claims about the cleanliness of it, but it seems to work) https://gist.github.com/TwoWheelDev/83d263b59f4587ae01f134ef0a7795cc

[8lane]

Mind showing your auth.ts? I've given up after reading various other threads saying token refresh is not possible with app router + next-auth. I have managed to get it working with middleware though.

@8lane Here's a gist of my auth.ts (I make no claims about the cleanliness of it, but it seems to work) https://gist.github.com/TwoWheelDev/83d263b59f4587ae01f134ef0a7795cc

Thank you 🙏

Aside from your authorize function (which I don't have) mine is pretty much identical to yours. The token refresh works, and I return the updated token in the jwt callback exactly like you are. I then see it in the session callback and update the session like you are. However, in subsequent refreshes, the jwt callback will always give the original jwt and not the refreshed one.

next-auth: 5.0.0-beta.25
next: 14.2.23

Using App Router

[TwoWheelDev]

Thank you 🙏

Aside from your authorize function (which I don't have) mine is pretty much identical to yours. The token refresh works, and I return the updated token in the jwt callback exactly like you are. I then see it in the session callback and update the session like you are. However, in subsequent refreshes, the jwt callback will always give the original jwt and not the refreshed one.

next-auth: 5.0.0-beta.25 next: 14.2.23

Using App Router

I'm currently using next: 15.1.6 but I wouldn't expect that making a huge difference. Thinking it through, it possibly started working after using the default Next-Auth middleware, instead of cobbling together my own based on the NextJS documentation

export { auth as middleware } from "@/auth"
 
export const config = {
  matcher: [
    '/admin/:path*',
    '/((?!api|_next/static|_next/image|.*\\.png$).*)'
  ],
}

[rhufsky]

That's basically what I experience. Yes, it is possible to update the JWT, Yes, the updated JWT it gets passed to the session but at the next cycle, the JWT itself stands as it was post - login. For now.

In https://github.com/rhufsky/authdemo I simulate that in the JWT callback by

• add status="INTIAL" post login
• add status ="REFRESH" and add refreshCount in each subsequent call to jwt()

Turns out that status stays "INITIAL" for each call and refreshCount stays zero, meaning that the JWT can not be updated.

SOMETIMES however, the JWT can be updated, meaning the status goes to "REFRESH" and refreshCount is non - zero. It looks like there must be a minimum interval between two JWT updates.

[brechtmann]

I had a similar Issue. check if this comment fixes it: #8138 (comment)

It didn't work in the end for me

[slickroot]

Since OP doesn't use any middleware in the demo that was shared, all solutions talking about middleware.ts aren't solutions to the original problem.

Having said that I use a middleware.ts and replaced it with what @TwoWheelDev was suggesting, but still didn't get anywhere.