Django + SimpleJWT: Access tokens sometimes expire immediately ("credentials not provided") when calling multiple endpoints
I’m building a Vue 3 frontend (deployed on Vercel at example.com) with a Django REST Framework backend (deployed on Railway at api.example.com).
Authentication uses JWT access/refresh tokens stored in HttpOnly cookies (access, refresh).
Access token lifetime = 30 minutes
Refresh token lifetime = 1 day
Cookies are set with: HttpOnly; Secure; SameSite=None; Domain=.example.com
Django timezone settings:
LANGUAGE_CODE = "en-us"
TIME_ZONE = "Africa/Lagos"
USE_I18N = True
USE_TZ = True
The problem
When the frontend calls multiple API endpoints simultaneously (e.g. 5 requests fired together), some succeed but others fail with:
401 Unauthorized
{"detail":"Authentication credentials were not provided."}
In the failing requests I can see the cookies are sent:
cookie: access=...; refresh=...
But SimpleJWT still rejects the access token, sometimes immediately after login.
It looks like the exp claim in the access token is already in the past when Django validates it.
What I’ve tried
Verified cookies are set with correct domain and withCredentials: true.
Implemented an Axios response interceptor with refresh token retry.
Ensured CookieJWTAuthentication checks both Authorization header and access cookie.