The document security token has expired

I have a docker docservice & converter & nginx setup following

Which situation will cause this error?

"The document security token has expired."

Because it’s not always happening, becomes very difficult to debug.

I’ve looked into

      "outbox": {
          "header": "'${JWT_HEADER_OUTBOX:-${JWT_HEADER}}'",
          "inBody": '${JWT_IN_BODY:=false}',
          "expires": "5m" <== 900 seconds ?


"storage": {
    "fs": {
      "secretString": "'${SECURE_LINK_SECRET:-verysecretstring}'",
      "urlExpires":  900 <=== 900 seconds ?

It seems the error is from

this.CoAuthoringApi.onExpiredToken = function(data) {
			t.sync_EndAction(c_oAscAsyncActionType.BlockInteraction, c_oAscAsyncAction.Open);
			if (t.VersionHistory && t.VersionHistory.isRequested) {
				var error = AscCommon.getDisconnectErrorCode(t.isDocumentLoadComplete, data["code"]);
				var level = t.isDocumentLoadComplete ? Asc.c_oAscError.Level.NoCritical : Asc.c_oAscError.Level.Critical;
				if (Asc.c_oAscError.ID.UpdateVersion === error && !t.isDocumentModified()) {
					t.sendEvent("asc_onDocumentUpdateVersion", function() {});
				} else {
					t.sendEvent('asc_onError', error, level);
			} else {
				t.VersionHistory = null;

Am i correct ?

Hi @shooding :wave:
You can check out the article on helpcenter.

The section is about #Token

Here’s the link: Token

services.CoAuthoring.token.outbox.expires Defines a period when the outgoing request token expires. string 5m

It contains parameters and their descriptions.

  • What actions do you have problems with?

  • Are there any entries in the logs?

When this error happens, i use mode=mobile then everything works. But mode=embedded will prompt the error.

When open with embedded mode,

console error shows errorCode: -21

server logs, nginx is receiving connection, logs as following, but no request arrived at example (document-server-integration nodejs example).

[06/May/2024:10:09:33 +0000] "GET /7.5.1-23/doc/4fbd09a2-e506-4c38-979a-e6909e907bbe.docx/c/?EIO=4&transport=websocket HTTP/1.1" 400 45 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36"

If i copy the link to another tab in Chrome, still get errorCode: -21
If i ctrl+F5 force refresh tab, it resolves.

Does it relate to Chrome’s caching the token used for coauthoringapi ?
5m is rather short.


After dig in, found the root cause is that browser will cache editor page html and try to connect websocket with cached token and got token expired error.

I found this with devtool > Network > WS debug the message and see the jwt been used is the old one.

Steps to reproduce

Open url/example/editor…
Wait for 5 min (token.expiresIn from default.json)
“Copy the url” to another browser tab
will get “The document security token has expired.”
Ctrl+F5 force reload resolves the issue.

1 Like

We’re glad you managed to solve the issue.
Thank you for sharing the solution with the community.