diff --git a/internal/auth/refresh.go b/internal/auth/refresh.go
index 1f23c69..22f2949 100644
--- a/internal/auth/refresh.go
+++ b/internal/auth/refresh.go
@@ -7,6 +7,7 @@ import (
 	"strings"
 	"time"
 
+	"gitea.local/admin/hspguard/internal/types"
 	"gitea.local/admin/hspguard/internal/util"
 	"gitea.local/admin/hspguard/internal/web"
 	"github.com/google/uuid"
@@ -26,7 +27,9 @@ func (h *AuthHandler) refreshToken(w http.ResponseWriter, r *http.Request) {
 	}
 
 	tokenStr := parts[1]
-	token, userClaims, err := util.VerifyToken(tokenStr, h.cfg.Jwt.PublicKey)
+	var userClaims types.UserClaims
+
+	token, err := util.VerifyToken(tokenStr, h.cfg.Jwt.PublicKey, &userClaims)
 	if err != nil || !token.Valid {
 		http.Error(w, fmt.Sprintf("invalid token: %v", err), http.StatusUnauthorized)
 		return
diff --git a/internal/middleware/auth.go b/internal/middleware/auth.go
index 7000a66..e934e04 100644
--- a/internal/middleware/auth.go
+++ b/internal/middleware/auth.go
@@ -37,7 +37,9 @@ func (m *AuthMiddleware) Runner(next http.Handler) http.Handler {
 		}
 
 		tokenStr := parts[1]
-		token, userClaims, err := util.VerifyToken(tokenStr, m.cfg.Jwt.PublicKey)
+		var userClaims types.UserClaims
+
+		token, err := util.VerifyToken(tokenStr, m.cfg.Jwt.PublicKey, &userClaims)
 		if err != nil || !token.Valid {
 			web.Error(w, fmt.Sprintf("invalid token: %v", err), http.StatusUnauthorized)
 			return
diff --git a/internal/util/jwt.go b/internal/util/jwt.go
index e0861de..ad33952 100644
--- a/internal/util/jwt.go
+++ b/internal/util/jwt.go
@@ -6,7 +6,6 @@ import (
 	"encoding/base64"
 	"fmt"
 
-	"gitea.local/admin/hspguard/internal/types"
 	"github.com/golang-jwt/jwt/v5"
 )
 
@@ -57,13 +56,12 @@ func SignJwtToken(claims jwt.Claims, key string) (string, error) {
 	return s, nil
 }
 
-func VerifyToken(token string, key string) (*jwt.Token, *types.UserClaims, error) {
+func VerifyToken(token string, key string, claims jwt.Claims) (*jwt.Token, error) {
 	publicKey, err := ParseBase64PublicKey(key)
 	if err != nil {
-		return nil, nil, err
+		return nil, err
 	}
 
-	claims := &types.UserClaims{}
 	parsed, err := jwt.ParseWithClaims(token, claims, func(t *jwt.Token) (any, error) {
 		if _, ok := t.Method.(*jwt.SigningMethodRSA); !ok {
 			return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])
@@ -72,12 +70,12 @@ func VerifyToken(token string, key string) (*jwt.Token, *types.UserClaims, error
 	})
 
 	if err != nil {
-		return nil, nil, fmt.Errorf("invalid token: %w", err)
+		return nil, fmt.Errorf("invalid token: %w", err)
 	}
 
 	if !parsed.Valid {
-		return nil, nil, fmt.Errorf("token is not valid")
+		return nil, fmt.Errorf("token is not valid")
 	}
 
-	return parsed, claims, nil
+	return parsed, nil
 }