Why is expires set in two places in this example? https://github.com/juxt/yada/blob/master/dev/src/yada/dev/security.clj#L71-L74

@nha one is for the token and one is for the cookie. E.g. the “cookie-token” will get “removed” by the browser with the cookie one. The second one is so the jwt machinery can reject it.

Thanks kardan, I was suspecting something like that.