diff --git a/lib/auth.js b/lib/auth.js
index eae26197..23da782a 100644
--- a/lib/auth.js
+++ b/lib/auth.js
@@ -135,6 +135,13 @@ async function resetMultiAuthCookies (req, res) {
   setMultiAuthCookies(req, res, { ...decoded, jwt: token })
 }
 
+class JwtExpiredError extends Error {
+  constructor () {
+    super('token expired')
+    this.name = 'JwtExpiredError'
+  }
+}
+
 async function refreshMultiAuthCookies (req, res) {
   const httpOnlyOptions = cookieOptions()
   const jsOptions = { ...httpOnlyOptions, httpOnly: false }
@@ -145,8 +152,12 @@ async function refreshMultiAuthCookies (req, res) {
 
   const refreshToken = async (token) => {
     const secret = process.env.NEXTAUTH_SECRET
+    const decoded = await decodeJWT({ token, secret })
+    if (decoded.exp <= Date.now() / 1000) {
+      throw new JwtExpiredError()
+    }
     return await encodeJWT({
-      token: await decodeJWT({ token, secret }),
+      token: decoded,
       secret
     })
   }
@@ -161,7 +172,15 @@ async function refreshMultiAuthCookies (req, res) {
 
     if (MULTI_AUTH_JWT_REGEXP.test(key) || key === SESSION_COOKIE) {
       const oldToken = value
-      const newToken = await refreshToken(oldToken)
+      let newToken
+      try {
+        newToken = await refreshToken(oldToken)
+      } catch (err) {
+        if (err instanceof JwtExpiredError) {
+          continue
+        }
+        throw err
+      }
       res.appendHeader('Set-Cookie', cookie.serialize(key, newToken, httpOnlyOptions))
       continue
     }