From 4167cdf29f800fa74fa20e90ba91fbd6f591b6ae Mon Sep 17 00:00:00 2001 From: Timothy Jaeryang Baek Date: Sun, 20 Jul 2025 14:50:48 +0400 Subject: [PATCH] Update env-configuration.md --- docs/getting-started/env-configuration.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/getting-started/env-configuration.md b/docs/getting-started/env-configuration.md index 66405bb9..e9596b25 100644 --- a/docs/getting-started/env-configuration.md +++ b/docs/getting-started/env-configuration.md @@ -853,8 +853,10 @@ The value of `API_KEY_ALLOWED_ENDPOINTS` should be a comma-separated list of end :::warning Setting `JWT_EXPIRES_IN` to `-1` disables JWT expiration, making issued tokens valid forever. **This is extremely dangerous in production** and exposes your system to severe security risks if tokens are leaked or compromised. -**Always set a reasonable expiration time (e.g., `3600s`, `1h`, etc.) in production to limit the lifespan of authentication tokens.** -Never use `-1` in a production environment. + +**Always set a reasonable expiration time (e.g., `3600s`, `1h`, etc.) in production to limit the lifespan of authentication tokens.** Never use `-1` in a production environment. + +If you have already deployed with `JWT_EXPIRES_IN=-1`, you can rotate or change your `WEBUI_SECRET_KEY` to immediately invalidate all existing tokens. :::