NextAuth: Access token invalid even though session still valid (multi-domain setup, Next.js 14)

[Smruti-AT]

Hi, I’m running Next.js 14 with NextAuth v4 (JWT session) deployed on GCP behind Nginx. I have two domains pointing to the same Next.js server (multi-tenant setup).

Yesterday, I ran into a strange issue for the first time in over a year:

• When I opened the site, I appeared logged in (session active).
• But all my API calls failed with Invalid access token.
• On inspecting my jwt callback, I realized I was checking the session expiry instead of the access token expiry to validate/refresh tokens.

This raises a few questions:
Cause – Could the mismatch between session expiry and access token expiry alone explain the issue, or could my multi-tenant / multi-domain setup also be a factor?
Session expiry confusion – My session token showed an expiry of Dec 19 (which is >30 days away). I haven’t configured maxAge, so I expected the default 30 days. Why would the session expiry extend beyond that?

This also happened for three other accounts, but since it’s the first time in over a year, I’m not sure if this is just a coincidence or not. Though I (and the other accounts) were inactive for more than 1 day which is why the access token expired but we had been inactive for more than 1 day even before.

What I’m looking for:
Clarification on the relationship between session expiry and access token expiry in NextAuth.
Whether a multi-domain setup could cause unexpected session/token issues.
Why session expiry might not match the documented defaults.

[Exp1ry]

Hi Smruti,

Do you use refresh tokens to refresh your access tokens? If not, then the implementation will be simple.

You must simply set the maxAge of your session inside the auth.config.ts

session: { strategy: "jwt", maxAge: REFRESH_TOKEN_LIFETIME_MS / 1000, // seconds },

In my case, its my refresh token lifetime but in your case its your access token's max age.

Once you have that, your AuthJS JWT token's expiry date will align with your access token's expiry date.