diff --git a/packages/nocodb/src/models/UserRefreshToken.ts b/packages/nocodb/src/models/UserRefreshToken.ts
index 5bd644d6bd..ae4d805fd0 100644
--- a/packages/nocodb/src/models/UserRefreshToken.ts
+++ b/packages/nocodb/src/models/UserRefreshToken.ts
@@ -1,9 +1,18 @@
+import process from 'process';
 import dayjs from 'dayjs';
 import Noco from '~/Noco';
 import { extractProps } from '~/helpers/extractProps';
 import { MetaTable } from '~/utils/globals';
 import { parseMetaProp, stringifyMetaProp } from '~/utils/modelUtils';
 
+const NC_REFRESH_TOKEN_EXP_IN_DAYS =
+  parseInt(process.env.NC_REFRESH_TOKEN_EXP_IN_DAYS, 10) || 90;
+
+// throw error if user provided invalid value
+if (NC_REFRESH_TOKEN_EXP_IN_DAYS <= 0) {
+  throw new Error('NC_REFRESH_TOKEN_EXP_IN_DAYS must be a positive number');
+}
+
 export default class UserRefreshToken {
   fk_user_id: string;
   token: string;
@@ -39,9 +48,11 @@ export default class UserRefreshToken {
       'meta',
     ]);
 
-    // set default expiry as 90 days if missing
+    // set expiry based on the env or default value
     if (!('expires_at' in insertObj)) {
-      insertObj.expires_at = dayjs().add(90, 'day').toDate();
+      insertObj.expires_at = dayjs()
+        .add(NC_REFRESH_TOKEN_EXP_IN_DAYS, 'day')
+        .toDate();
     }
 
     if ('meta' in insertObj) {
@@ -68,11 +79,11 @@ export default class UserRefreshToken {
       null,
       MetaTable.USER_REFRESH_TOKENS,
       {
-        token: oldToken,
-        expires_at: dayjs().add(90, 'day').toDate(),
+        token: newToken,
+        expires_at: dayjs().add(NC_REFRESH_TOKEN_EXP_IN_DAYS, 'day').toDate(),
       },
       {
-        token: newToken,
+        token: oldToken,
       },
     );
   }
diff --git a/packages/nocodb/src/services/users/users.service.ts b/packages/nocodb/src/services/users/users.service.ts
index c95fc3e565..9010192250 100644
--- a/packages/nocodb/src/services/users/users.service.ts
+++ b/packages/nocodb/src/services/users/users.service.ts
@@ -370,9 +370,9 @@ export class UsersService {
         NcError.badRequest(`Missing refresh token`);
       }
 
-      const user = await User.getByRefreshToken(
-        param.req.cookies.refresh_token,
-      );
+      const oldRefreshToken = param.req.cookies.refresh_token;
+
+      const user = await User.getByRefreshToken(oldRefreshToken);
 
       if (!user) {
         NcError.badRequest(`Invalid refresh token`);
@@ -380,10 +380,12 @@ export class UsersService {
 
       const refreshToken = randomTokenString();
 
-      await UserRefreshToken.insert({
-        token: refreshToken,
-        fk_user_id: user.id,
-      });
+      try {
+        await UserRefreshToken.updateOldToken(oldRefreshToken, refreshToken);
+      } catch (error) {
+        console.error('Failed to update old refresh token:', error);
+        NcError.internalServerError('Failed to update refresh token');
+      }
 
       setTokenCookie(param.res, refreshToken);