diff --git a/client/src/stores/auth.ts b/client/src/stores/auth.ts
index 294b31d..94b3391 100644
--- a/client/src/stores/auth.ts
+++ b/client/src/stores/auth.ts
@@ -34,7 +34,6 @@ export const useAuthStore = defineStore('auth', () => {
 				return true
 			}
 
-			// Token expired or invalid → try refresh
 			if (res.status === 401) {
 				const refreshed = await refreshToken()
 				if (refreshed) return await fetchUser()
@@ -88,7 +87,6 @@ export const useAuthStore = defineStore('auth', () => {
 	 * Refresh the access token using refresh cookie.
 	 */
 	async function refreshToken() {
-		// Skip if no refresh cookie (expired or logged out)
 		if (!document.cookie.includes('refresh_token')) return false
 
 		try {
@@ -116,7 +114,6 @@ export const useAuthStore = defineStore('auth', () => {
 	function startAutoRefresh() {
 		if (refreshInterval) clearInterval(refreshInterval)
 
-		// Refresh every 7.5 minutes (half of 15m access token)
 		refreshInterval = setInterval(async () => {
 			if (!user.value) return
 			const success = await refreshToken()
@@ -130,7 +127,6 @@ export const useAuthStore = defineStore('auth', () => {
 			}
 		}, 7.5 * 60 * 1000)
 
-		// Also refresh immediately if tab comes back from background
 		document.addEventListener('visibilitychange', async () => {
 			if (document.visibilityState === 'visible' && user.value) {
 				const success = await refreshToken()
diff --git a/server/src/api/v1/auth/index.ts b/server/src/api/v1/auth/index.ts
index 83b6e59..6e386a9 100644
--- a/server/src/api/v1/auth/index.ts
+++ b/server/src/api/v1/auth/index.ts
@@ -14,7 +14,7 @@ function createAccessToken(user: any) {
 	return jwt.sign(
 		{ sub: user._id, role: user.role },
 		ACCESS_TOKEN_SECRET,
-		{ expiresIn: '15m' },
+		{ expiresIn: '7d' },
 	)
 }
 
@@ -53,7 +53,9 @@ router.post('/login', async (req: Request, res: Response) => {
 		res.cookie('access_token', accessToken, {
 			httpOnly: true, sameSite: 'lax', secure: process.env.NODE_ENV !== 'dev', maxAge: 7 * 24 * 60 * 60 * 1000,
 		})
-		const refreshMaxAge = remember > 7 ? 365 * 24 * 60 * 60 * 1000 : 7 * 24 * 60 * 60 * 1000
+		const refreshMaxAge = remember
+			? 365 * 24 * 60 * 60 * 1000
+			: 7 * 24 * 60 * 60 * 1000
 
 		res.cookie('refreshToken', refreshToken, {
 			httpOnly: true, sameSite: 'lax', secure: process.env.NODE_ENV !== 'dev', maxAge: refreshMaxAge,
@@ -79,7 +81,7 @@ router.post('/refresh', async (req: Request, res: Response) => {
 
 	try {
 		const payload = jwt.verify(token, REFRESH_TOKEN_SECRET) as any
-		const user = await UserModel.findById(payload.sub)
+		const user = await UserModel.findById(payload.id)
 		if (!user || user.refreshToken !== token)
 			return res.status(403).json({ error: 'Invalid refresh token' })