[GH-ISSUE #4224] [FEAT]: Customize JWT Expiry via config #2684

Closed
opened 2026-02-22 18:30:46 -05:00 by yindo · 2 comments
Owner

Originally created by @sha-roze on GitHub (Jul 31, 2025).
Original GitHub issue: https://github.com/Mintplex-Labs/anything-llm/issues/4224

Originally assigned to: @timothycarambat on GitHub.

How are you running AnythingLLM?

Docker (local)

What happened?

After logging out, the token remains valid and can still be used to access the server api's.

Are there known steps to reproduce?

  1. Login to any user account. Get the JWT Token from the Authorization header.
  2. Call any API using curl or postman by passing this token in the Authorization header.
Originally created by @sha-roze on GitHub (Jul 31, 2025). Original GitHub issue: https://github.com/Mintplex-Labs/anything-llm/issues/4224 Originally assigned to: @timothycarambat on GitHub. ### How are you running AnythingLLM? Docker (local) ### What happened? After logging out, the token remains valid and can still be used to access the server api's. ### Are there known steps to reproduce? 1. Login to any user account. Get the JWT Token from the Authorization header. 2. Call any API using curl or postman by passing this token in the Authorization header.
yindo added the enhancementfeature request labels 2026-02-22 18:30:46 -05:00
yindo closed this issue 2026-02-22 18:30:46 -05:00
Author
Owner

@timothycarambat commented on GitHub (Jul 31, 2025):

We use JWT for authentication - this is not a bug and is an inherent ability of how JWTs work.

JSON Web Tokens (JWTs) are inherently stateless and, by design, are not automatically invalidated upon user logout. Once a JWT access token is issued, it remains cryptographically valid until its embedded expiration time (the exp claim) is reached, regardless of whether the user has logged out or not.

The most we can do is have the JWT function take in a user-defined ENV config that can be set by system admin for shorter lived tokens.

@timothycarambat commented on GitHub (Jul 31, 2025): We use JWT for authentication - this is not a bug and is an inherent ability of how JWTs work. > JSON Web Tokens (JWTs) are inherently stateless and, by design, are not automatically invalidated upon user logout. Once a JWT access token is issued, it remains cryptographically valid until its embedded expiration time (the exp claim) is reached, regardless of whether the user has logged out or not. The most we can do is have the JWT function take in a user-defined ENV config that can be set by system admin for shorter lived tokens.
Author
Owner

@sha-roze commented on GitHub (Aug 1, 2025):

Thanks for taking this up Tim

@sha-roze commented on GitHub (Aug 1, 2025): Thanks for taking this up Tim
yindo changed title from [FEAT]: Customize JWT Expiry via config to [GH-ISSUE #4224] [FEAT]: Customize JWT Expiry via config 2026-06-05 14:47:58 -04:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Mintplex-Labs/anything-llm#2684