diff --git a/server/auth.js b/server/auth.js
index f5d0926..8425e8f 100644
--- a/server/auth.js
+++ b/server/auth.js
@@ -13,7 +13,6 @@ import {
 
 const router = Router();
 const TOKEN_COOKIE = 'ofapp_token';
-const TOKEN_EXPIRY = undefined; // no expiration
 
 function getJwtSecret() {
   let secret = getSetting('jwt_secret');
@@ -26,7 +25,9 @@ function getJwtSecret() {
 }
 
 function signToken(userId) {
-  return jwt.sign({ userId }, getJwtSecret(), { expiresIn: TOKEN_EXPIRY });
+  // No expiration — the cookie's maxAge (~10y) controls session lifetime.
+  // Newer jsonwebtoken rejects expiresIn:undefined, so we omit the field.
+  return jwt.sign({ userId }, getJwtSecret());
 }
 
 function setTokenCookie(res, token) {