diff --git a/ansible/roles/ooni-backend/templates/api.conf b/ansible/roles/ooni-backend/templates/api.conf
index 25d1d0c..0ff0ca0 100644
--- a/ansible/roles/ooni-backend/templates/api.conf
+++ b/ansible/roles/ooni-backend/templates/api.conf
@@ -36,8 +36,8 @@ TOR_TARGETS_CONFFILE = "/etc/ooni/tor_targets.json"
 JWT_ENCRYPTION_KEY = "{{ jwt_encryption_key }}"
 ACCOUNT_ID_HASHING_KEY = "{{ account_id_hashing_key }}"
 
-SESSION_EXPIRY_DAYS = 180
-LOGIN_EXPIRY_DAYS = 365
+SESSION_EXPIRY_DAYS = 2
+LOGIN_EXPIRY_DAYS = 7
 
 # Registration email delivery
 MAIL_SERVER = "mail.riseup.net"
diff --git a/tf/environments/prod/main.tf b/tf/environments/prod/main.tf
index 6bcf9d5..f490db4 100644
--- a/tf/environments/prod/main.tf
+++ b/tf/environments/prod/main.tf
@@ -422,7 +422,7 @@ module "ooniapi_ooniprobe" {
 
   task_secrets = {
     POSTGRESQL_URL              = aws_secretsmanager_secret_version.oonipg_url.arn
-    JWT_ENCRYPTION_KEY          = data.aws_ssm_parameter.jwt_secret
+    JWT_ENCRYPTION_KEY          = data.aws_ssm_parameter.jwt_secret.arn
     PROMETHEUS_METRICS_PASSWORD = aws_secretsmanager_secret_version.prometheus_metrics_password.arn
   }
 
@@ -473,7 +473,7 @@ module "ooniapi_oonirun" {
 
   task_secrets = {
     POSTGRESQL_URL              = aws_secretsmanager_secret_version.oonipg_url.arn
-    JWT_ENCRYPTION_KEY          = data.aws_ssm_parameter.jwt_secret
+    JWT_ENCRYPTION_KEY          = data.aws_ssm_parameter.jwt_secret.arn
     PROMETHEUS_METRICS_PASSWORD = aws_secretsmanager_secret_version.prometheus_metrics_password.arn
   }
 
@@ -521,7 +521,7 @@ module "ooniapi_oonifindings" {
 
   task_secrets = {
     POSTGRESQL_URL              = aws_secretsmanager_secret_version.oonipg_url.arn
-    JWT_ENCRYPTION_KEY          = data.aws_ssm_parameter.jwt_secret
+    JWT_ENCRYPTION_KEY          = data.aws_ssm_parameter.jwt_secret.arn
     PROMETHEUS_METRICS_PASSWORD = aws_secretsmanager_secret_version.prometheus_metrics_password.arn
   }
 
@@ -572,7 +572,7 @@ module "ooniapi_ooniauth" {
 
   task_secrets = {
     POSTGRESQL_URL              = aws_secretsmanager_secret_version.oonipg_url.arn
-    JWT_ENCRYPTION_KEY          = data.aws_ssm_parameter.jwt_secret
+    JWT_ENCRYPTION_KEY          = data.aws_ssm_parameter.jwt_secret.arn
     PROMETHEUS_METRICS_PASSWORD = aws_secretsmanager_secret_version.prometheus_metrics_password.arn
 
     AWS_SECRET_ACCESS_KEY = module.ooniapi_user.aws_secret_access_key_arn