diff --git a/src/main/kotlin/dev/usbharu/hideout/Application.kt b/src/main/kotlin/dev/usbharu/hideout/Application.kt
index 438a49ed..92ec9ee3 100644
--- a/src/main/kotlin/dev/usbharu/hideout/Application.kt
+++ b/src/main/kotlin/dev/usbharu/hideout/Application.kt
@@ -101,7 +101,8 @@ fun Application.parent() {
         inject<IUserAuthService>().value,
         inject<IMetaRepository>().value,
         inject<IJwtRefreshTokenRepository>().value,
-        inject<IUserRepository>().value
+        inject<IUserRepository>().value,
+        inject<IdGenerateService>().value
     )
     configureRouting(
         inject<HttpSignatureVerifyService>().value,
diff --git a/src/main/kotlin/dev/usbharu/hideout/plugins/Security.kt b/src/main/kotlin/dev/usbharu/hideout/plugins/Security.kt
index f2b70cf7..19c3bb60 100644
--- a/src/main/kotlin/dev/usbharu/hideout/plugins/Security.kt
+++ b/src/main/kotlin/dev/usbharu/hideout/plugins/Security.kt
@@ -107,14 +107,14 @@ fun Application.configureSecurity(
         post("/refresh-token") {
             val refreshToken = call.receive<RefreshToken>()
             val findByToken = refreshTokenRepository.findByToken(refreshToken.refreshToken)
-                ?: return@post call.respond(HttpStatusCode.Forbidden)
+                ?: return@post call.respondText("token not found",status = HttpStatusCode.Forbidden)
 
             if (findByToken.createdAt.isAfter(Instant.now())) {
-                return@post call.respond(HttpStatusCode.Forbidden)
+                return@post call.respondText("created_at", status =  HttpStatusCode.Forbidden)
             }
 
-            if (findByToken.expiresAt.isAfter(Instant.now())) {
-                return@post call.respond(HttpStatusCode.Forbidden)
+            if (findByToken.expiresAt.isBefore(Instant.now())) {
+                return@post call.respondText( "expires_at", status =  HttpStatusCode.Forbidden)
             }
 
             val user = userRepository.findById(findByToken.userId)
diff --git a/src/main/web/App.tsx b/src/main/web/App.tsx
index 62047d22..0da03fa6 100644
--- a/src/main/web/App.tsx
+++ b/src/main/web/App.tsx
@@ -18,13 +18,24 @@ export const App: Component = () => {
                 headers: {
                     'Content-Type': 'application/json'
                 }
-            }).then(res => res.text())
-                .then(res => fetch("/auth-check", {
-                    method: "GET",
+            }).then(res => res.json())
+                // .then(res => fetch("/auth-check", {
+                //     method: "GET",
+                //     headers: {
+                //         'Authorization': 'Bearer ' + res.token
+                //     }
+                // }))
+                // .then(res => res.json())
+                .then(res => {
+                console.log(res.token);
+                fetch("/refresh-token", {
+                    method: "POST",
                     headers: {
-                        'Authorization': 'Bearer ' + res
-                    }
-                })).then(res => console.log(res))
+                        'Content-Type': 'application/json',
+                    },
+                    body: JSON.stringify({refreshToken: res.refreshToken}),
+                }).then(res=> res.json()).then(res => console.log(res.token))
+            })
         }
 
         }>
diff --git a/vite.config.ts b/vite.config.ts
index 4ae5194e..3f3c0c58 100644
--- a/vite.config.ts
+++ b/vite.config.ts
@@ -10,6 +10,7 @@ export default defineConfig({
             '/api': 'http://localhost:8080',
             '/login': 'http://localhost:8080',
             '/auth-check': 'http://localhost:8080',
+            '/refresh-token': 'http://localhost:8080',
         }
     },
     root: './src/main/web',