diff --git a/docs/docs/configuration/reference.md b/docs/docs/configuration/reference.md
index 6dde92fbe..5fae34a78 100644
--- a/docs/docs/configuration/reference.md
+++ b/docs/docs/configuration/reference.md
@@ -123,7 +123,7 @@ auth:
   # Optional: Refresh time in seconds (default: shown below)
   # When the session is going to expire in less time than this setting,
   # it will be refreshed back to the session_length.
-  refresh_time: 43200 # 12 hours
+  refresh_time: 1800 # 30 minutes
   # Optional: Rate limiting for login failures to help prevent brute force
   # login attacks (default: shown below)
   # See the docs for more information on valid values
diff --git a/frigate/api/auth.py b/frigate/api/auth.py
index b88c4be59..e345d645c 100644
--- a/frigate/api/auth.py
+++ b/frigate/api/auth.py
@@ -648,27 +648,28 @@ def auth(request: Request):
             logger.debug("jwt token expired")
             return fail_response
 
-        # Check if password has been changed after token was issued
-        try:
-            user_obj = User.get_by_id(user)
-            # Only invalidate token if password was changed after token was issued
-            if user_obj.password_changed_at is not None:
-                token_iat = int(token.claims.get("iat", 0))
-                password_changed_timestamp = int(
-                    user_obj.password_changed_at.timestamp()
-                )
-                if token_iat < password_changed_timestamp:
-                    logger.debug(
-                        "jwt token issued before password change, invalidating token"
-                    )
-                    return fail_response
-        except DoesNotExist:
-            logger.debug("user not found")
-            return fail_response
-
         # if the jwt cookie is expiring soon
         if jwt_source == "cookie" and expiration - JWT_REFRESH <= current_time:
             logger.debug("jwt token expiring soon, refreshing cookie")
+
+            # Check if password has been changed since token was issued
+            # If so, force re-login by rejecting the refresh
+            try:
+                user_obj = User.get_by_id(user)
+                if user_obj.password_changed_at is not None:
+                    token_iat = int(token.claims.get("iat", 0))
+                    password_changed_timestamp = int(
+                        user_obj.password_changed_at.timestamp()
+                    )
+                    if token_iat < password_changed_timestamp:
+                        logger.debug(
+                            "jwt token issued before password change, rejecting refresh"
+                        )
+                        return fail_response
+            except DoesNotExist:
+                logger.debug("user not found")
+                return fail_response
+
             new_expiration = current_time + JWT_SESSION_LENGTH
             new_encoded_jwt = create_encoded_jwt(
                 user, role, new_expiration, request.app.jwt_token
diff --git a/frigate/config/auth.py b/frigate/config/auth.py
index fced20620..6935350a0 100644
--- a/frigate/config/auth.py
+++ b/frigate/config/auth.py
@@ -20,7 +20,7 @@ class AuthConfig(FrigateBaseModel):
         default=86400, title="Session length for jwt session tokens", ge=60
     )
     refresh_time: int = Field(
-        default=43200,
+        default=1800,
         title="Refresh the session if it is going to expire in this many seconds",
         ge=30,
     )