fix!: increase default JWT expiration time via AuthNew (#6475)

LesnyRumcajs · web-flow · commit 0ff6c7b185e0 · 2026-01-23T21:56:01.000Z
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -27,6 +27,8 @@
 
 ### Breaking
 
+- [#6475](https://github.com/ChainSafe/forest/pull/6475): Increased default JWT (generated via `Filecoin.AuthNew`) expiration time from 24 hours to 100 years to match Lotus behavior and ensure compatibility with clients like Curio.
+
 ### Added
 
 - [#6466](https://github.com/ChainSafe/forest/pull/6466) Enabled `Filecoin.EthGetBlockTransactionCountByHash` for API v2.
diff --git a/src/rpc/methods/auth.rs b/src/rpc/methods/auth.rs
@@ -29,12 +29,13 @@ impl RpcMethod<2> for AuthNew {
     ) -> Result<Self::Ok, ServerError> {
         let ks = ctx.keystore.read();
         let ki = ks.get(JWT_IDENTIFIER)?;
-        let token = create_token(
-            permissions,
-            ki.private_key(),
-            // default to 24h
-            chrono::Duration::seconds(expiration_secs.unwrap_or(60 * 60 * 24)),
-        )?;
+        // Lotus admin tokens do not expire but Forest requires all JWT tokens to
+        // have an expiration date. So we set the expiration date to 100 years in
+        // the future to match user-visible behavior of Lotus.
+        let token_exp = expiration_secs
+            .map(chrono::Duration::seconds)
+            .unwrap_or_else(|| chrono::Duration::days(365 * 100));
+        let token = create_token(permissions, ki.private_key(), token_exp)?;
         Ok(token.as_bytes().to_vec())
     }
 }
