github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 19:08:59 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

issue: JWT expiry not defaulting to 4w #6794

New Issue
Closed
opened 2025-11-11 17:05:57 -06:00 by GiteaMirror · 3 comments
GiteaMirror commented 2025-11-11 17:05:57 -06:00
Owner
Copy Link

Originally created by @recrudesce on GitHub (Oct 29, 2025).

Check Existing Issues

  • I have searched for any existing and/or related issues.
  • I have searched for any existing and/or related discussions.
  • I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

0.6.3x

Ollama Version (if applicable)

No response

Operating System

Irrelevant as Docker

Browser (if applicable)

No response

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

JWT Expiry should be set to 4w as per the docs if you don't set the envvar.

Actual Behavior

UI shows JWT Expiry as -1 when no envvar is set, and JWT's actually never expire.

Steps to Reproduce

This happens on both 0.6.32, 0.6.33, and 0.6.34 from what I can see. No idea how far back this issue goes.

1: deploy OWUI docker somewhere
2: DO NOT set the JWT_EXPIRES_IN env var
3: go to the General Settings for OWUI
4: notice that JWT expiry is set to -1

Logs & Screenshots

No JWT Expiry envvar is set for the container:
Image
Image

JWT expiry shows as -1 in the UI
Image

Persistent config shows JWT expiry set to -1, not the default of 4w as detailed in the docs.

"auth":
    {
        "admin":
        {
            "show": true
        },
        "jwt_expiry": "-1",
        "api_key":
        {
            "enable": true,
            "endpoint_restrictions": false,
            "allowed_endpoints": ""
        }
    },

Additional Information

No response

Originally created by @recrudesce on GitHub (Oct 29, 2025). ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version 0.6.3x ### Ollama Version (if applicable) _No response_ ### Operating System Irrelevant as Docker ### Browser (if applicable) _No response_ ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior JWT Expiry should be set to 4w as per the docs if you don't set the envvar. ### Actual Behavior UI shows JWT Expiry as `-1` when no envvar is set, and JWT's actually never expire. ### Steps to Reproduce This happens on both 0.6.32, 0.6.33, and 0.6.34 from what I can see. No idea how far back this issue goes. 1: deploy OWUI docker somewhere 2: DO NOT set the `JWT_EXPIRES_IN` env var 3: go to the General Settings for OWUI 4: notice that JWT expiry is set to -1 ### Logs & Screenshots No JWT Expiry envvar is set for the container: <img width="1336" height="1368" alt="Image" src="https://github.com/user-attachments/assets/bb09f321-3ef5-4654-a9d0-c9ac5749a021" /> <img width="1240" height="874" alt="Image" src="https://github.com/user-attachments/assets/6ee502b8-15b7-4316-89a7-0fd300fcc555" /> JWT expiry shows as -1 in the UI <img width="2022" height="232" alt="Image" src="https://github.com/user-attachments/assets/f486b516-7683-49f2-87b1-5bd2d4e1c36e" /> Persistent config shows JWT expiry set to -1, not the default of 4w as detailed in the docs. ```json "auth": { "admin": { "show": true }, "jwt_expiry": "-1", "api_key": { "enable": true, "endpoint_restrictions": false, "allowed_endpoints": "" } }, ``` ### Additional Information _No response_
GiteaMirror added the bug label 2025-11-11 17:05:57 -06:00
GiteaMirror commented 2025-11-11 17:05:58 -06:00
Author
Owner
Copy Link

@Classic298 commented on GitHub (Oct 29, 2025):

4 weeks as default value is only after version 0.6.34

and if you have ever set it to any other value (aka if you installed Open WebUI before the default value was changed (= if you installed your Open WebUI instance with any version other than 0.6.34, ever)) it still is -1

It is a persistent config. Please read up in the documentation about how persistent configs work. Persistent configs can never be changed form the environment variables after they have been initially set.

@Classic298 commented on GitHub (Oct 29, 2025): 4 weeks as default value is only after version 0.6.34 and if you have ever set it to any other value (aka if you installed Open WebUI before the default value was changed (= if you installed your Open WebUI instance with any version other than 0.6.34, ever)) it still is -1 It is a persistent config. Please read up in the documentation about how persistent configs work. Persistent configs can never be changed form the environment variables after they have been initially set.
GiteaMirror commented 2025-11-11 17:05:58 -06:00
Author
Owner
Copy Link

@recrudesce commented on GitHub (Oct 29, 2025):

Nothing about the documentation states the feature was added in 0.6.34. I understand how persistent config works.

@recrudesce commented on GitHub (Oct 29, 2025): Nothing about the documentation states the feature was added in 0.6.34. I understand how persistent config works.
GiteaMirror commented 2025-11-11 17:05:58 -06:00
Author
Owner
Copy Link

@Classic298 commented on GitHub (Oct 29, 2025):

@recrudesce It is impossible and very impractical to add notices to every single env var for when this env var was added or changed or modified in specific versions.

But, for that, we include all the important changes in the changelog!

https://github.com/open-webui/open-webui/releases/tag/v0.6.34

🔒 JWT token expiration default is now set to 4 weeks instead of never expiring, with security warnings displayed in backend logs and admin UI when set to unlimited. https://github.com/open-webui/open-webui/pull/18261, https://github.com/open-webui/open-webui/pull/18262

@Classic298 commented on GitHub (Oct 29, 2025): @recrudesce It is impossible and very impractical to add notices to every single env var for when this env var was added or changed or modified in specific versions. But, for that, we include all the important changes in the changelog! https://github.com/open-webui/open-webui/releases/tag/v0.6.34 > 🔒 JWT token expiration default is now set to 4 weeks instead of never expiring, with security warnings displayed in backend logs and admin UI when set to unlimited. https://github.com/open-webui/open-webui/pull/18261, https://github.com/open-webui/open-webui/pull/18262
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#6794
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?