diff --git a/modules/backend/src/main/scala/docspell/backend/auth/TokenUtil.scala b/modules/backend/src/main/scala/docspell/backend/auth/TokenUtil.scala
index 9bba4823..329e8e4a 100644
--- a/modules/backend/src/main/scala/docspell/backend/auth/TokenUtil.scala
+++ b/modules/backend/src/main/scala/docspell/backend/auth/TokenUtil.scala
@@ -23,7 +23,9 @@ private[auth] object TokenUtil {
 
   def sign(cd: AuthToken, key: ByteVector): String = {
     val raw =
-      cd.nowMillis.toString + cd.account.asString + cd.requireSecondFactor + cd.salt
+      cd.nowMillis.toString + cd.account.asString + cd.requireSecondFactor + cd.salt + cd.valid
+        .map(_.seconds.toString)
+        .getOrElse("")
     signRaw(raw, key)
   }
 
diff --git a/modules/backend/src/test/scala/docspell/backend/auth/AuthTokenTest.scala b/modules/backend/src/test/scala/docspell/backend/auth/AuthTokenTest.scala
new file mode 100644
index 00000000..97cc7b78
--- /dev/null
+++ b/modules/backend/src/test/scala/docspell/backend/auth/AuthTokenTest.scala
@@ -0,0 +1,37 @@
+/*
+ * Copyright 2020 Eike K. & Contributors
+ *
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+package docspell.backend.auth
+
+import cats.effect._
+import cats.syntax.option._
+
+import docspell.common._
+
+import munit.CatsEffectSuite
+import scodec.bits.ByteVector
+
+class AuthTokenTest extends CatsEffectSuite {
+
+  val user = AccountId(Ident.unsafe("demo"), Ident.unsafe("demo"))
+  val john = AccountId(Ident.unsafe("demo"), Ident.unsafe("john"))
+  val secret = ByteVector.fromValidHex("caffee")
+  val otherSecret = ByteVector.fromValidHex("16bad")
+
+  test("validate") {
+    val token1 = AuthToken.user[IO](user, false, secret, None).unsafeRunSync()
+    val token2 =
+      AuthToken.user[IO](user, false, secret, Duration.seconds(10).some).unsafeRunSync()
+    assert(token1.validate(secret, Duration.seconds(5)))
+    assert(!token1.validate(otherSecret, Duration.seconds(5)))
+    assert(!token1.copy(account = john).validate(secret, Duration.seconds(5)))
+
+    assert(token2.validate(secret, Duration.millis(0)))
+    assert(
+      !token2.copy(valid = Duration.minutes(10).some).validate(secret, Duration.millis(0))
+    )
+  }
+}