Token refresh returns 401


I’m a bit confused about refreshing session tokens. To refresh an admin’s token I am performing a PUT to I have attempted to do this both by adding “?session_token=mytoken” and by passing the “X-DreamFactory-Session-Token” header.

Both methods result in a 401 error telling me that my session token has expired and that I need to refresh it.

For now, I am getting around this by just re-logging in, but it would be nice to be able to refresh tokens. Any suggestions?


Hi @jsolbrig,

A solution if you want forever sessions can be found in this wiki article Please correct me if I’m wrong, but I believe the issue you are running into is from following these instructions I will test this and get back with you.

Kevin McGahey


Thanks, yes, I was following the instructions you link to. I’m trying to avoid forever sessions if possible, but may go that route.



This is how it is intended to be used by the author of the package we use:

Great question by the way! Our documentation on this is quite confusing on this topic, but I will do my best to explain how this works. So, if the DF_JWT_TTL is 1 minute and the DF_JWT_REFRESH_TTL is 2 minutes then you can refresh the token as many times as needed during the 1 minute period in turn continuing to refresh the token until the 2 minute timer is up. I would recommend extending the DF_JWT_REFRESH_TTL in the .env file to a longer time to refresh your tokens.

Please let me know if I need to explain further or if it is hard to follow.

Kevin McGahey



I think I see what I’m doing wrong. Thanks!

It was a dumb mistake on my part. I was attempting to refresh my token only after the first time I got a 401 error. Of course that didn’t work. The token was stale by that point, so I couldn’t access the API to refresh it.

I think something added to the docs to indicate that the token needs to be refreshed BEFORE it becomes stale might be helpful for people who aren’t thinking.