diff --git a/src/api/identity.rs b/src/api/identity.rs
index 6862ca28..d6cc2df3 100644
--- a/src/api/identity.rs
+++ b/src/api/identity.rs
@@ -53,7 +53,7 @@ async fn login(data: Form<ConnectData>, client_header: ClientHeaders, mut conn:
     let login_result = match data.grant_type.as_ref() {
         "refresh_token" => {
             _check_is_some(&data.refresh_token, "refresh_token cannot be blank")?;
-            _refresh_login(data, &mut conn).await
+            _refresh_login(data, &mut conn, &client_header.ip).await
         }
         "password" if CONFIG.sso_enabled() && CONFIG.sso_only() => err!("SSO sign-in is required"),
         "password" => {
@@ -124,7 +124,7 @@ async fn login(data: Form<ConnectData>, client_header: ClientHeaders, mut conn:
 }
 
 // Return Status::Unauthorized to trigger logout
-async fn _refresh_login(data: ConnectData, conn: &mut DbConn) -> JsonResult {
+async fn _refresh_login(data: ConnectData, conn: &mut DbConn, ip: &ClientIp) -> JsonResult {
     // Extract token
     let refresh_token = match data.refresh_token {
         Some(token) => token,
@@ -137,7 +137,7 @@ async fn _refresh_login(data: ConnectData, conn: &mut DbConn) -> JsonResult {
     // See: https://github.com/dani-garcia/vaultwarden/issues/4156
     // ---
     // let members = Membership::find_confirmed_by_user(&user.uuid, conn).await;
-    match auth::refresh_tokens(&refresh_token, conn).await {
+    match auth::refresh_tokens(ip, &refresh_token, conn).await {
         Err(err) => {
             err_code!(format!("Unable to refresh login credentials: {}", err.message()), Status::Unauthorized.code)
         }
diff --git a/src/auth.rs b/src/auth.rs
index 8dff3603..5cb71333 100644
--- a/src/auth.rs
+++ b/src/auth.rs
@@ -112,7 +112,7 @@ pub fn decode_jwt<T: DeserializeOwned>(token: &str, issuer: String) -> Result<T,
             ErrorKind::InvalidToken => err!("Token is invalid"),
             ErrorKind::InvalidIssuer => err!("Issuer is invalid"),
             ErrorKind::ExpiredSignature => err!("Token has expired"),
-            _ => err!("Error decoding JWT"),
+            _ => err!(format!("Error decoding JWT: {:?}", err)),
         },
     }
 }
@@ -1177,11 +1177,12 @@ impl AuthTokens {
     }
 }
 
-pub async fn refresh_tokens(refresh_token: &str, conn: &mut DbConn) -> ApiResult<(Device, AuthTokens)> {
-    let time_now = Utc::now();
-
+pub async fn refresh_tokens(ip: &ClientIp, refresh_token: &str, conn: &mut DbConn) -> ApiResult<(Device, AuthTokens)> {
     let refresh_claims = match decode_refresh(refresh_token) {
-        Err(err) => err_silent!(format!("Impossible to read refresh_token: {}", err.message())),
+        Err(err) => {
+            debug!("Failed to decode {} refresh_token: {refresh_token}", ip.ip);
+            err_silent!(format!("Impossible to read refresh_token: {}", err.message()))
+        }
         Ok(claims) => claims,
     };
 
@@ -1199,10 +1200,6 @@ pub async fn refresh_tokens(refresh_token: &str, conn: &mut DbConn) -> ApiResult
         Some(user) => user,
     };
 
-    if refresh_claims.exp < time_now.timestamp() {
-        err!("Expired refresh token");
-    }
-
     let auth_tokens = match refresh_claims.sub {
         AuthMethod::Sso if CONFIG.sso_enabled() && CONFIG.sso_auth_only_not_session() => {
             AuthTokens::new(&device, &user, refresh_claims.sub)