diff --git a/src/encryptid/server.ts b/src/encryptid/server.ts
index fe03c16..19f5f56 100644
--- a/src/encryptid/server.ts
+++ b/src/encryptid/server.ts
@@ -499,7 +499,7 @@ app.get('/api/session/verify', async (c) => {
   const token = authHeader.slice(7);
 
   try {
-    const payload = await verify(token, CONFIG.jwtSecret);
+    const payload = await verify(token, CONFIG.jwtSecret, 'HS256');
     return c.json({
       valid: true,
       userId: payload.sub,
@@ -519,7 +519,7 @@ app.post('/api/session/verify', async (c) => {
   }
 
   try {
-    const payload = await verify(token, CONFIG.jwtSecret);
+    const payload = await verify(token, CONFIG.jwtSecret, 'HS256');
     return c.json({
       valid: true,
       claims: payload,
@@ -545,7 +545,7 @@ app.post('/api/session/refresh', async (c) => {
   const token = authHeader.slice(7);
 
   try {
-    const payload = await verify(token, CONFIG.jwtSecret, { clockTolerance: 60 * 60 });  // Allow 1 hour expired
+    const payload = await verify(token, CONFIG.jwtSecret, { alg: 'HS256', exp: false });  // Allow expired tokens for refresh
 
     // Issue new token
     const newToken = await generateSessionToken(
@@ -575,7 +575,7 @@ app.get('/api/user/credentials', async (c) => {
   const token = authHeader.slice(7);
 
   try {
-    const payload = await verify(token, CONFIG.jwtSecret);
+    const payload = await verify(token, CONFIG.jwtSecret, 'HS256');
     const userId = payload.sub as string;
 
     const creds = await getUserCredentials(userId);
@@ -606,7 +606,7 @@ app.post('/api/recovery/email/set', async (c) => {
   }
 
   try {
-    const payload = await verify(authHeader.slice(7), CONFIG.jwtSecret);
+    const payload = await verify(authHeader.slice(7), CONFIG.jwtSecret, 'HS256');
     const { email } = await c.req.json();
 
     if (!email || !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) {
@@ -907,7 +907,7 @@ async function verifyTokenFromRequest(authorization: string | undefined): Promis
   if (!authorization?.startsWith('Bearer ')) return null;
   const token = authorization.slice(7);
   try {
-    const payload = await verify(token, CONFIG.jwtSecret);
+    const payload = await verify(token, CONFIG.jwtSecret, 'HS256');
     return payload as { sub: string; did?: string; username?: string };
   } catch {
     return null;