Token refresh returns 401

I’m a bit confused about refreshing session tokens. To refresh an admin’s token I am performing a PUT to I have attempted to do this both by adding “?session_token=mytoken” and by passing the “X-DreamFactory-Session-Token” header.

Both methods result in a 401 error telling me that my session token has expired and that I need to refresh it.

For now, I am getting around this by just re-logging in, but it would be nice to be able to refresh tokens. Any suggestions?

Hi @jsolbrig,

A solution if you want forever sessions can be found in this wiki article Please correct me if I’m wrong, but I believe the issue you are running into is from following these instructions I will test this and get back with you.

Kevin McGahey

Thanks, yes, I was following the instructions you link to. I’m trying to avoid forever sessions if possible, but may go that route.


This is how it is intended to be used by the author of the package we use:

Great question by the way! Our documentation on this is quite confusing on this topic, but I will do my best to explain how this works. So, if the DF_JWT_TTL is 1 minute and the DF_JWT_REFRESH_TTL is 2 minutes then you can refresh the token as many times as needed during the 1 minute period in turn continuing to refresh the token until the 2 minute timer is up. I would recommend extending the DF_JWT_REFRESH_TTL in the .env file to a longer time to refresh your tokens.

Please let me know if I need to explain further or if it is hard to follow.

Kevin McGahey


I think I see what I’m doing wrong. Thanks!

It was a dumb mistake on my part. I was attempting to refresh my token only after the first time I got a 401 error. Of course that didn’t work. The token was stale by that point, so I couldn’t access the API to refresh it.

I think something added to the docs to indicate that the token needs to be refreshed BEFORE it becomes stale might be helpful for people who aren’t thinking.

We have same issue and does not seem to be resolvable. Using bitnami install of latest DF as Admin user. Our settings in .env set the token TTL to 1hour and the refresh window to 6 hours. We created test that does a ‘token refresh’ on demand. So we could examine the tokens returned. We do receive a ‘new/refreshed’ token. However, IT DOES NOT actually extend the time. At the end of 1 hour it will fail and a login is needed. This is NOT how the docs say it should work. According to docs, if I refresh I should get a token good for another 1hour - up to the maximum time controlled by the refresh-window setting. Again that does not work as far as our testing shows. If we are wrong I would love to have someone from DF clear this up. It looks like this issue has been left since 2015? I spent a couple of days reading and prying around in docs and code to get it to work and have not succeeded.