diff --git a/server/router/api/v1/acl_config.go b/server/router/api/v1/acl_config.go
index 4569e82b9..e29af35ae 100644
--- a/server/router/api/v1/acl_config.go
+++ b/server/router/api/v1/acl_config.go
@@ -12,6 +12,7 @@ var PublicMethods = map[string]struct{}{
 	// Auth Service - login flow must be accessible without auth
 	"/memos.api.v1.AuthService/CreateSession":     {},
 	"/memos.api.v1.AuthService/GetCurrentSession": {},
+	"/memos.api.v1.AuthService/RefreshToken":      {}, // Token refresh must be accessible when access token expired
 
 	// Instance Service - needed before login to show instance info
 	"/memos.api.v1.InstanceService/GetInstanceProfile": {},
diff --git a/server/router/api/v1/connect_interceptors.go b/server/router/api/v1/connect_interceptors.go
index d4781e37c..5af3d7b2b 100644
--- a/server/router/api/v1/connect_interceptors.go
+++ b/server/router/api/v1/connect_interceptors.go
@@ -43,6 +43,10 @@ func (*MetadataInterceptor) WrapUnary(next connect.UnaryFunc) connect.UnaryFunc
 		if xri := header.Get("X-Real-Ip"); xri != "" {
 			md.Set("x-real-ip", xri)
 		}
+		// Forward Cookie header for authentication methods that need it (e.g., RefreshToken)
+		if cookie := header.Get("Cookie"); cookie != "" {
+			md.Set("cookie", cookie)
+		}
 
 		// Set metadata in context so services can use metadata.FromIncomingContext()
 		ctx = metadata.NewIncomingContext(ctx, md)