diff --git a/seaweed-volume/src/config.rs b/seaweed-volume/src/config.rs
index 9beee7f50..a2361b4ff 100644
--- a/seaweed-volume/src/config.rs
+++ b/seaweed-volume/src/config.rs
@@ -957,13 +957,13 @@ pub fn parse_security_config(path: &str) -> SecurityConfig {
                 Section::JwtSigningRead => match key {
                     "key" => cfg.jwt_read_signing_key = value.as_bytes().to_vec(),
                     "expires_after_seconds" => {
-                        cfg.jwt_read_signing_expires = value.parse().unwrap_or(0)
+                        cfg.jwt_read_signing_expires = value.parse().unwrap_or(60)
                     }
                     _ => {}
                 },
                 Section::JwtSigning => match key {
                     "key" => cfg.jwt_signing_key = value.as_bytes().to_vec(),
-                    "expires_after_seconds" => cfg.jwt_signing_expires = value.parse().unwrap_or(0),
+                    "expires_after_seconds" => cfg.jwt_signing_expires = value.parse().unwrap_or(10),
                     _ => {}
                 },
                 Section::HttpsClient => match key {
@@ -1021,6 +1021,15 @@ pub fn parse_security_config(path: &str) -> SecurityConfig {
         }
     }
 
+    // Match Go's v.SetDefault: when a signing key is present but
+    // expires_after_seconds was never specified, apply Go's defaults.
+    if !cfg.jwt_signing_key.is_empty() && cfg.jwt_signing_expires == 0 {
+        cfg.jwt_signing_expires = 10;
+    }
+    if !cfg.jwt_read_signing_key.is_empty() && cfg.jwt_read_signing_expires == 0 {
+        cfg.jwt_read_signing_expires = 60;
+    }
+
     // Override with WEED_ environment variables (matches Go's Viper convention:
     // prefix WEED_, uppercase, replace . with _).
     // e.g. WEED_JWT_SIGNING_KEY overrides [jwt.signing] key