diff --git a/flyfish-user/src/main/java/dev/flyfish/framework/user/config/WebSecurityConfig.java b/flyfish-user/src/main/java/dev/flyfish/framework/user/config/WebSecurityConfig.java
index 0695f8a..79addef 100644
--- a/flyfish-user/src/main/java/dev/flyfish/framework/user/config/WebSecurityConfig.java
+++ b/flyfish-user/src/main/java/dev/flyfish/framework/user/config/WebSecurityConfig.java
@@ -113,7 +113,7 @@ public class WebSecurityConfig {
     }
 
     @ConditionalOnProperty(value = "jwt.enable", havingValue = "false")
-    @Bean
+    @Bean("contextRepository")
     public ServerSecurityContextRepository contextRepository() {
         return new WebSessionServerSecurityContextRepository();
     }
@@ -137,10 +137,11 @@ public class WebSecurityConfig {
                                                             SecurityProperties properties,
                                                             ReactiveUserDetailsService userDetailsService,
                                                             ServerAuthenticationConverter authenticationConverter,
-                                                            AuthenticationAuditor authenticationAuditor) {
+                                                            AuthenticationAuditor authenticationAuditor,
+                                                            ServerSecurityContextRepository contextRepository) {
         ReactiveAuthenticationManager authenticationManager = new UserDetailsRepositoryReactiveAuthenticationManager(userDetailsService);
         return http
-                .securityContextRepository(contextRepository())
+                .securityContextRepository(contextRepository)
                 .authorizeExchange(spec -> spec.pathMatchers(ArrayUtils.addAll(properties.getAllowUris(), "/api/logout", "/api/login")).permitAll()
                         .pathMatchers("/api/users/**").authenticated()
                         .anyExchange().authenticated())
@@ -154,7 +155,7 @@ public class WebSecurityConfig {
                         .accessDeniedHandler(new HttpStatusServerAccessDeniedHandler(HttpStatus.UNAUTHORIZED)))
                 .csrf(spec -> spec.disable())
                 .addFilterAt(
-                        configure(authenticationManager, authenticationAuditor, authenticationConverter, tokenProvider),
+                        configure(authenticationManager, authenticationAuditor, authenticationConverter, contextRepository),
                         SecurityWebFiltersOrder.FORM_LOGIN)
                 .build();
     }
@@ -207,13 +208,14 @@ public class WebSecurityConfig {
      */
     private AuthenticationWebFilter configure(ReactiveAuthenticationManager authenticationManager,
                                               AuthenticationAuditor authenticationAuditor,
-                                              ServerAuthenticationConverter authenticationConverter, TokenProvider tokenProvider) {
+                                              ServerAuthenticationConverter authenticationConverter,
+                                              ServerSecurityContextRepository contextRepository) {
         AuthenticationWebFilter authenticationFilter = new AuthenticationWebFilter(authenticationManager);
         authenticationFilter.setRequiresAuthenticationMatcher(pathMatchers(HttpMethod.POST, "/login", "/api/login"));
         authenticationFilter.setAuthenticationFailureHandler(new JsonAuthenticationFailureHandler(authenticationAuditor));
         authenticationFilter.setServerAuthenticationConverter(authenticationConverter);
-        authenticationFilter.setAuthenticationSuccessHandler(new JsonAuthenticationSuccessHandler(authenticationAuditor, tokenProvider));
-        authenticationFilter.setSecurityContextRepository(contextRepository());
+        authenticationFilter.setAuthenticationSuccessHandler(new JsonAuthenticationSuccessHandler(authenticationAuditor));
+        authenticationFilter.setSecurityContextRepository(contextRepository);
         return authenticationFilter;
     }
 
diff --git a/flyfish-web/src/main/java/dev/flyfish/framework/configuration/jwt/TokenProvider.java b/flyfish-web/src/main/java/dev/flyfish/framework/configuration/jwt/TokenProvider.java
index de05bba..dc2af17 100644
--- a/flyfish-web/src/main/java/dev/flyfish/framework/configuration/jwt/TokenProvider.java
+++ b/flyfish-web/src/main/java/dev/flyfish/framework/configuration/jwt/TokenProvider.java
@@ -168,9 +168,9 @@ public class TokenProvider implements InitializingBean {
      */
     public Claims parseToken(String token) {
         return Jwts.parser()
-                .decryptWith(key)
+                .verifyWith(key)
                 .build()
-                .parseEncryptedClaims(token)
+                .parseSignedClaims(token)
                 .getPayload();
     }
 
diff --git a/flyfish-web/src/main/java/dev/flyfish/framework/handler/JsonAuthenticationSuccessHandler.java b/flyfish-web/src/main/java/dev/flyfish/framework/handler/JsonAuthenticationSuccessHandler.java
index 2dd09d5..2fce13e 100644
--- a/flyfish-web/src/main/java/dev/flyfish/framework/handler/JsonAuthenticationSuccessHandler.java
+++ b/flyfish-web/src/main/java/dev/flyfish/framework/handler/JsonAuthenticationSuccessHandler.java
@@ -23,8 +23,6 @@ public class JsonAuthenticationSuccessHandler implements ServerAuthenticationSuc
 
     // 数据块工厂
     private final AuthenticationAuditor authenticationAuditor;
-    // token提供者
-    private final TokenProvider tokenProvider;
 
     /**
      * 登录成功后要返回用户的基本信息，节省带宽
@@ -35,8 +33,6 @@ public class JsonAuthenticationSuccessHandler implements ServerAuthenticationSuc
      */
     @Override
     public Mono<Void> onAuthenticationSuccess(WebFilterExchange webFilterExchange, Authentication authentication) {
-        // 添加成功响应头
-        tokenProvider.addToken(webFilterExchange.getExchange(), authentication);
         // 组装正确的响应信息
         ServerHttpResponse response = webFilterExchange.getExchange().getResponse();
         HttpHeaders headers = response.getHeaders();