Skip to content

JWT strategy does not support updateAge parameter #13248

New issue
New issue
Open
Open
JWT strategy does not support updateAge parameter#13248
Labels
bugSomething isn't workingtriageUnseen or unconfirmed by a maintainer yet. Provide extra information in the meantime.
@plaa

Description

@plaa
plaa
opened on Sep 26, 2025

Environment

  System:
    OS: macOS 14.7.1
    CPU: (14) arm64 Apple M3 Max
    Memory: 74.95 MB / 36.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 22.18.0 - ~/.nvm/versions/node/v22.18.0/bin/node
    Yarn: 1.22.22 - ~/.nvm/versions/node/v22.18.0/bin/yarn
    npm: 10.9.3 - ~/.nvm/versions/node/v22.18.0/bin/npm
    pnpm: 9.15.4 - ~/.nvm/versions/node/v22.18.0/bin/pnpm
  Browsers:
    Chrome: 140.0.7339.208
    Safari: 18.1.1
  npmPackages:
    @auth/unstorage-adapter: ^2.0.0 => 2.10.0 
    next: latest => 15.5.4 
    next-auth: beta => 5.0.0-beta.29 
    react: ^18.2.0 => 18.3.1

Reproduction URL

https://github.com/plaa/next-auth-updateAge-bug

Describe the issue

When using the JWT strategy, the session token cookie is updated on every single request. This is extremely wasteful, especially if the token contains more information than the minimal JWT contents.

In our service the session token is about 3kB in size and single page load can involve 5-10 requests, meaning 15-30kB of unnecessary data is encrypted and sent to the browser per page. This is very wasteful from a Green IT perspective.

I expected that setting updateAge would fix the issue, and the token would only be updated when the token age exceeds that amount, but the code path for jwt completely ignores the property.

How to reproduce

Using the example repo (direct copy of example repo with only auth.ts updated):

  1. Start the app according to regular instructions (pnpm install cp .env.local.example .env.local pnpm run dev)
  2. Open the page and sign in with any username
  3. View network panel while reloading the page

--> On every page load a ~2kB Set-Cookie header is present, even though the token is nowhere near expiry and updateAge: 5 * 60 is specified.

Expected behavior

The JWT token should be refreshed and set only every updateAge seconds.

To make this work correctly when maxAge is set, I propose the default updateAge value would be maxAge / 30, to make it relative to the maxAge expiry time, would be well sufficient to keep the session alive and is consistent with the current 30d / 1d defaults.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingtriageUnseen or unconfirmed by a maintainer yet. Provide extra information in the meantime.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions