ERR-973/stack trace

ERR-973

Bolt.new auth session keeps expiring — fix JWT refresh tokens

Bolt.new auth session keeps expiring — fix JWT refresh tokens

Last updated 17 April 2026 · 6 min read · By Hyder Shah

Emergency triage — $299 Free diagnostic

Direct answer

Bolt.new wires up Supabase Auth for sign-in and sign-up. It typically skips JWT refresh token handling, session persistence across page reloads, and the “remember me” functionality. Users get logged out after 1 hour (the JWT expiry default) or when they refresh the page. Three fixes cover 90% of session issues in Bolt apps.

Quick fix for Bolt.new auth session keeps expiring —

Start here

Fix 1 — Enable auto session refresh

When initialising the Supabase client, set autoRefreshToken: true:

createClient(url, key, {
  auth: {
    autoRefreshToken: true,
    persistSession: true,
    detectSessionInUrl: true,
  },
});

This tells the client to automatically refresh the JWT before it expires. If you already have this, check that you’re not creating multiple Supabase client instances — each one needs these settings.

Deeper fixes when the quick fix fails

02
Fix 2 — Restore session on page load
In your root layout or _app equivalent, add:
```
supabase.auth.getSession().then(({ data: { session } }) => {
  setSession(session);
});

supabase.auth.onAuthStateChange((event, session) => {
  setSession(session);
});
```
The onAuthStateChange handler fires for SIGNED_IN, SIGNED_OUT, TOKEN_REFRESHED, and USER_UPDATED events.
03
Fix 3 — Verify localStorage persistence
Supabase’s client stores the session in localStorage by default. Check DevTools → Application → Local Storage for a sb-*-auth-token key.
If it’s missing, persistSession is false somewhere. If it exists but the user is still logged out, check for code that calls localStorage.clear() or supabase.auth.signOut() unintentionally.

Still getting logged out?

Less common causes: (1) server-side rendering without session cookies configured — use @supabase/ssr package for Next.js, (2) cookie SameSite or Secure flags blocking persistence on HTTPS, (3) a service worker or CDN caching old auth responses.

Why AI-built apps hit Bolt.new auth session keeps expiring —

Supabase Auth uses JWTs with a default 1-hour expiry. The access token refreshes automatically — but only if your client-side code calls supabase.auth.getSession() on initialisation and handles the SIGNED_OUT event properly.

Bolt-generated apps often miss one or both steps. The sign-in screen works, the dashboard loads, and nobody notices until a real user refreshes the page or leaves the tab open for an hour.

“My users keep getting logged out every hour, is this expected?”

Reddit — r/Supabase

Diagnose Bolt.new auth session keeps expiring — by failure mode

Test your auth by signing in, then waiting 60 minutes without interacting. If you’re logged out, you need Fix #1. If refresh on any page logs you out, you need Fix #2.

Symptom	Cause	Fix
Users logged out after exactly 1 hour	JWT expiry, no refresh token exchange	Fix #1
Refresh page = logged out	Session not persisted in localStorage	Fix #2
'Remember me' checkbox does nothing	persistSession option not set	Fix #3

Related errors we fix

Still stuck with Bolt.new auth session keeps expiring —?

Emergency triage · $299 · 48h turnaround

We restore service and write the root-cause report.

If any of these apply, a fixed-price auth fix will stabilise your users’ sessions in 48 hours:

→Users report random logouts in Slack / support tickets
→You're losing signups because returning users can't get back in
→You've tried 'extending JWT expiry' and it didn't help
→You need 'remember me' working before launch

start the triage →

Free Rescue Diagnostic

30-min call, we reproduce the logout

Emergency Triage

$299 · 48h

Single-issue JWT / session fix

Integration Fix

$799 · 48h

Full auth rebuild with tests

Security Audit

$499 · 48h

Auth, RLS, secrets, webhooks

Bolt.new auth session keeps expiring — questions

Why does my Bolt.new app log users out after 1 hour?+

Supabase JWTs expire after 1 hour by default. The client library refreshes them automatically — but only if autoRefreshToken is enabled on the client and the onAuthStateChange listener is wired up. Bolt-generated apps frequently skip both. The fix is a three-line config change in the createClient call plus an event listener in your root layout.

Why does refreshing the page log users out of my Bolt.new app?+

The Supabase session is stored in localStorage by the client, but only if persistSession: true is passed to createClient. On page load, your app also needs to call supabase.auth.getSession() to restore state into React context. If either step is missing, every refresh appears to sign the user out even though the token is still valid.

How do I implement 'remember me' in Bolt.new + Supabase?+

With persistSession: true, the session already persists across browser sessions until the refresh token expires (default: never, until signOut is called). For an explicit 'remember me' checkbox: when unchecked, set the localStorage key to a session-scoped sessionStorage key instead. Supabase's signInWithPassword accepts an options.storage override.

Can I extend the Supabase JWT expiry past 1 hour?+

Yes, in the Supabase dashboard: Authentication → Settings → JWT expiry limit. You can set up to 24 hours. But extending JWT expiry without also fixing refresh token handling is a security regression — a leaked JWT now works for 24 hours instead of 1. Fix the refresh logic properly instead of extending the expiry.

Why does onAuthStateChange fire multiple times in my Bolt.new app?+

Two causes: (1) you're creating multiple Supabase clients (each registers its own listener), (2) React strict mode double-invokes effects in development. Fix #1 by exporting a singleton from a lib/supabase.ts file and importing it everywhere. Fix #2 by using a cleanup function in useEffect to unsubscribe: const { data: { subscription } } = supabase.auth.onAuthStateChange(...); return () => subscription.unsubscribe();

How much does a Bolt.new auth fix cost?+

A single-issue auth fix (JWT refresh, session persistence, or OAuth redirect) runs $299 via Emergency Triage with 48-hour turnaround. A full auth rebuild — proper signup/signin flows, remember-me, password reset, MFA — runs $799 as part of the Integration Fix package. Both include regression tests so the bug doesn't come back.

Next step

Ship the fix. Keep the fix.

Emergency Triage restores service in 48 hours. Break the Fix Loop rebuilds CI so this error cannot ship again.

Emergency triage — $299 Free diagnostic

About the author

Hyder Shah leads Afterbuild Labs, shipping production rescues for apps built in Lovable, Bolt.new, Cursor, Replit, v0, and Base44. our rescue methodology.

Bolt.new auth session keeps expiring — experts

If this problem keeps coming back, you probably need ongoing expertise in the underlying stack.