diff --git a/apps/browser-extension/src/entrypoints/popup/App.tsx b/apps/browser-extension/src/entrypoints/popup/App.tsx
index c4663f181..1cdd55547 100644
--- a/apps/browser-extension/src/entrypoints/popup/App.tsx
+++ b/apps/browser-extension/src/entrypoints/popup/App.tsx
@@ -135,7 +135,7 @@ const AppContent: React.FC<{
             }}
           >
             {message && (
-              <div className="p-4 pt-0">
+              <div className="px-4 pt-0">
                 <p className="text-red-500 dark:text-red-400 text-sm">{message}</p>
               </div>
             )}
diff --git a/apps/server/AliasVault.Api/Controllers/AuthController.cs b/apps/server/AliasVault.Api/Controllers/AuthController.cs
index 51243c096..72b283640 100644
--- a/apps/server/AliasVault.Api/Controllers/AuthController.cs
+++ b/apps/server/AliasVault.Api/Controllers/AuthController.cs
@@ -56,6 +56,17 @@ public class AuthController(IAliasServerDbContextFactory dbContextFactory, UserM
     /// </summary>
     private const int MobileLoginTimeoutMinutes = 3;
 
+    /// <summary>
+    /// Access token validity in minutes.
+    /// </summary>
+    /// <remarks>
+    /// This is the time period for which the access token is valid.
+    /// It is used to authenticate the user for a limited time
+    /// and is short-lived by design. With the separate refresh token, the user can request a new access token
+    /// when this access token expires.
+    /// </remarks>
+    private const int AccessTokenValiditySeconds = 600;
+
     /// <summary>
     /// Semaphore to prevent concurrent access to the database when generating new tokens for a user.
     /// </summary>
@@ -969,7 +980,7 @@ public class AuthController(IAliasServerDbContextFactory dbContextFactory, UserM
             issuer: configuration["Jwt:Issuer"] ?? string.Empty,
             audience: configuration["Jwt:Issuer"] ?? string.Empty,
             claims: claims,
-            expires: timeProvider.UtcNow.AddMinutes(10),
+            expires: timeProvider.UtcNow.AddSeconds(AccessTokenValiditySeconds),
             signingCredentials: credentials);
 
         return new JwtSecurityTokenHandler().WriteToken(token);
diff --git a/apps/server/AliasVault.Api/Helpers/AuthHelper.cs b/apps/server/AliasVault.Api/Helpers/AuthHelper.cs
index 5d770dde4..180e6da3b 100644
--- a/apps/server/AliasVault.Api/Helpers/AuthHelper.cs
+++ b/apps/server/AliasVault.Api/Helpers/AuthHelper.cs
@@ -91,9 +91,12 @@ public static class AuthHelper
     {
         var userAgent = request.Headers.UserAgent.ToString();
         var acceptLanguage = request.Headers.AcceptLanguage.ToString();
-        var client = request.Headers["X-AliasVault-Client"].ToString();
 
-        var rawIdentifier = $"{client}|{userAgent}|{acceptLanguage}";
+        // Client header is usually formatted like "[client name]-[version]" e.g. "chrome-0.25.0", take only "chrome"
+        var clientHeader = request.Headers["X-AliasVault-Client"].ToString();
+        var clientName = clientHeader?.Split('-')[0] ?? "unknown";
+
+        var rawIdentifier = $"{clientName}|{userAgent}|{acceptLanguage}";
         return rawIdentifier;
     }
 }