diff --git a/services/identity/src/client_service.rs b/services/identity/src/client_service.rs
index 22440d2dd..65dd58f3f 100644
--- a/services/identity/src/client_service.rs
+++ b/services/identity/src/client_service.rs
@@ -1,808 +1,813 @@
 // Standard library imports
 use std::str::FromStr;
 
 // External crate imports
 use comm_lib::aws::DynamoDBError;
 use comm_opaque2::grpc::protocol_error_to_grpc_status;
 use moka::future::Cache;
 use rand::rngs::OsRng;
 use siwe::eip55;
 use tonic::Response;
 use tracing::{debug, error, warn};
 
 // Workspace crate imports
 use crate::config::CONFIG;
 use crate::constants::request_metadata;
 use crate::database::{
   DBDeviceTypeInt, DatabaseClient, DeviceType, KeyPayload,
 };
 use crate::error::Error as DBError;
 use crate::grpc_services::protos::unauth::{
   AddReservedUsernamesRequest, Empty, GenerateNonceResponse,
   OpaqueLoginFinishRequest, OpaqueLoginFinishResponse, OpaqueLoginStartRequest,
   OpaqueLoginStartResponse, RegistrationFinishRequest,
   RegistrationFinishResponse, RegistrationStartRequest,
   RegistrationStartResponse, RemoveReservedUsernameRequest,
   ReservedRegistrationStartRequest, ReservedWalletLoginRequest,
   VerifyUserAccessTokenRequest, VerifyUserAccessTokenResponse,
   WalletLoginRequest, WalletLoginResponse,
 };
 use crate::grpc_services::shared::get_value;
 use crate::grpc_utils::DeviceKeyUploadActions;
 use crate::id::generate_uuid;
 use crate::nonce::generate_nonce_data;
 use crate::reserved_users::{
   validate_account_ownership_message_and_get_user_id,
   validate_add_reserved_usernames_message,
   validate_remove_reserved_username_message,
 };
 use crate::siwe::{is_valid_ethereum_address, parse_and_verify_siwe_message};
 use crate::token::{AccessTokenData, AuthType};
 
 pub use crate::grpc_services::protos::unauth::identity_client_service_server::{
     IdentityClientService, IdentityClientServiceServer,
   };
 
 #[derive(Clone)]
 pub enum WorkflowInProgress {
   Registration(Box<UserRegistrationInfo>),
   Login(Box<UserLoginInfo>),
   Update(UpdateState),
 }
 
 #[derive(Clone)]
 pub struct UserRegistrationInfo {
   pub username: String,
   pub flattened_device_key_upload: FlattenedDeviceKeyUpload,
   pub user_id: Option<String>,
 }
 
 #[derive(Clone)]
 pub struct UserLoginInfo {
   pub user_id: String,
   pub flattened_device_key_upload: FlattenedDeviceKeyUpload,
   pub opaque_server_login: comm_opaque2::server::Login,
 }
 
 #[derive(Clone)]
 pub struct UpdateState {
   pub user_id: String,
 }
 
 #[derive(Clone)]
 pub struct FlattenedDeviceKeyUpload {
   pub device_id_key: String,
   pub key_payload: String,
   pub key_payload_signature: String,
   pub content_prekey: String,
   pub content_prekey_signature: String,
   pub content_one_time_keys: Vec<String>,
   pub notif_prekey: String,
   pub notif_prekey_signature: String,
   pub notif_one_time_keys: Vec<String>,
   pub device_type: DeviceType,
 }
 
 #[derive(derive_more::Constructor)]
 pub struct ClientService {
   client: DatabaseClient,
   cache: Cache<String, WorkflowInProgress>,
 }
 
 #[tonic::async_trait]
 impl IdentityClientService for ClientService {
   async fn register_password_user_start(
     &self,
     request: tonic::Request<RegistrationStartRequest>,
   ) -> Result<tonic::Response<RegistrationStartResponse>, tonic::Status> {
     let message = request.into_inner();
     debug!("Received registration request for: {}", message.username);
 
     self.check_username_taken(&message.username).await?;
     let username_in_reserved_usernames_table = self
       .client
       .username_in_reserved_usernames_table(&message.username)
       .await
       .map_err(handle_db_error)?;
 
     if username_in_reserved_usernames_table {
       return Err(tonic::Status::already_exists("username already exists"));
     }
 
     if CONFIG.reserved_usernames.contains(&message.username)
       || is_valid_ethereum_address(&message.username)
     {
       return Err(tonic::Status::invalid_argument("username reserved"));
     }
 
     let registration_state = construct_user_registration_info(
       &message,
       None,
       message.username.clone(),
     )?;
     let server_registration = comm_opaque2::server::Registration::new();
     let server_message = server_registration
       .start(
         &CONFIG.server_setup,
         &message.opaque_registration_request,
         message.username.as_bytes(),
       )
       .map_err(protocol_error_to_grpc_status)?;
     let session_id = self
       .cache
       .insert_with_uuid_key(WorkflowInProgress::Registration(Box::new(
         registration_state,
       )))
       .await;
 
     let response = RegistrationStartResponse {
       session_id,
       opaque_registration_response: server_message,
     };
     Ok(Response::new(response))
   }
 
   async fn register_reserved_password_user_start(
     &self,
     request: tonic::Request<ReservedRegistrationStartRequest>,
   ) -> Result<tonic::Response<RegistrationStartResponse>, tonic::Status> {
     let message = request.into_inner();
     self.check_username_taken(&message.username).await?;
 
     if CONFIG.reserved_usernames.contains(&message.username) {
       return Err(tonic::Status::invalid_argument("username reserved"));
     }
 
     let username_in_reserved_usernames_table = self
       .client
       .username_in_reserved_usernames_table(&message.username)
       .await
       .map_err(handle_db_error)?;
     if !username_in_reserved_usernames_table {
       return Err(tonic::Status::permission_denied("username not reserved"));
     }
 
     let user_id = validate_account_ownership_message_and_get_user_id(
       &message.username,
       &message.keyserver_message,
       &message.keyserver_signature,
     )?;
 
     let registration_state = construct_user_registration_info(
       &message,
       Some(user_id),
       message.username.clone(),
     )?;
     let server_registration = comm_opaque2::server::Registration::new();
     let server_message = server_registration
       .start(
         &CONFIG.server_setup,
         &message.opaque_registration_request,
         message.username.as_bytes(),
       )
       .map_err(protocol_error_to_grpc_status)?;
 
     let session_id = self
       .cache
       .insert_with_uuid_key(WorkflowInProgress::Registration(Box::new(
         registration_state,
       )))
       .await;
 
     let response = RegistrationStartResponse {
       session_id,
       opaque_registration_response: server_message,
     };
     Ok(Response::new(response))
   }
 
   async fn register_password_user_finish(
     &self,
     request: tonic::Request<RegistrationFinishRequest>,
   ) -> Result<tonic::Response<RegistrationFinishResponse>, tonic::Status> {
     let code_version = get_code_version(&request);
     let message = request.into_inner();
 
     if let Some(WorkflowInProgress::Registration(state)) =
       self.cache.get(&message.session_id)
     {
       self.cache.invalidate(&message.session_id).await;
 
       let server_registration = comm_opaque2::server::Registration::new();
       let password_file = server_registration
         .finish(&message.opaque_registration_upload)
         .map_err(protocol_error_to_grpc_status)?;
 
       let login_time = chrono::Utc::now();
       let device_id = state.flattened_device_key_upload.device_id_key.clone();
       let user_id = self
         .client
         .add_password_user_to_users_table(
           *state,
           password_file,
           code_version,
           login_time,
         )
         .await
         .map_err(handle_db_error)?;
 
       // Create access token
       let token = AccessTokenData::with_created_time(
         user_id.clone(),
         device_id,
         login_time,
         crate::token::AuthType::Password,
         &mut OsRng,
       );
 
       let access_token = token.access_token.clone();
 
       self
         .client
         .put_access_token_data(token)
         .await
         .map_err(handle_db_error)?;
 
       let response = RegistrationFinishResponse {
         user_id,
         access_token,
       };
       Ok(Response::new(response))
     } else {
       Err(tonic::Status::not_found("session not found"))
     }
   }
 
   async fn log_in_password_user_start(
     &self,
     request: tonic::Request<OpaqueLoginStartRequest>,
   ) -> Result<tonic::Response<OpaqueLoginStartResponse>, tonic::Status> {
     let message = request.into_inner();
 
     debug!("Attempting to login user: {:?}", &message.username);
     let user_id_and_password_file = self
       .client
       .get_user_id_and_password_file_from_username(&message.username)
       .await
       .map_err(handle_db_error)?;
 
     let (user_id, password_file_bytes) =
       if let Some(data) = user_id_and_password_file {
         data
       } else {
         // It's possible that the user attempting login is already registered
         // on Ashoat's keyserver. If they are, we should send back a gRPC status
         // code instructing them to get a signed message from Ashoat's keyserver
         // in order to claim their username and register with the Identity
         // service.
         let username_in_reserved_usernames_table = self
           .client
           .username_in_reserved_usernames_table(&message.username)
           .await
           .map_err(handle_db_error)?;
 
         if username_in_reserved_usernames_table {
           return Err(tonic::Status::failed_precondition(
             "need keyserver message to claim username",
           ));
         }
 
         return Err(tonic::Status::not_found("user not found"));
       };
 
     let mut server_login = comm_opaque2::server::Login::new();
     let server_response = server_login
       .start(
         &CONFIG.server_setup,
         &password_file_bytes,
         &message.opaque_login_request,
         message.username.as_bytes(),
       )
       .map_err(protocol_error_to_grpc_status)?;
 
     let login_state =
       construct_user_login_info(&message, user_id, server_login)?;
 
     let session_id = self
       .cache
       .insert_with_uuid_key(WorkflowInProgress::Login(Box::new(login_state)))
       .await;
 
     let response = Response::new(OpaqueLoginStartResponse {
       session_id,
       opaque_login_response: server_response,
     });
     Ok(response)
   }
 
   async fn log_in_password_user_finish(
     &self,
     request: tonic::Request<OpaqueLoginFinishRequest>,
   ) -> Result<tonic::Response<OpaqueLoginFinishResponse>, tonic::Status> {
     let code_version = get_code_version(&request);
     let message = request.into_inner();
 
     if let Some(WorkflowInProgress::Login(state)) =
       self.cache.get(&message.session_id)
     {
       self.cache.invalidate(&message.session_id).await;
 
       let mut server_login = state.opaque_server_login.clone();
       server_login
         .finish(&message.opaque_login_upload)
         .map_err(protocol_error_to_grpc_status)?;
 
       let login_time = chrono::Utc::now();
       self
         .client
         .add_user_device(
           state.user_id.clone(),
           state.flattened_device_key_upload.clone(),
           code_version,
           login_time,
         )
         .await
         .map_err(handle_db_error)?;
 
       // Create access token
       let token = AccessTokenData::with_created_time(
         state.user_id.clone(),
         state.flattened_device_key_upload.device_id_key,
         login_time,
         crate::token::AuthType::Password,
         &mut OsRng,
       );
 
       let access_token = token.access_token.clone();
 
       self
         .client
         .put_access_token_data(token)
         .await
         .map_err(handle_db_error)?;
 
       let response = OpaqueLoginFinishResponse {
         user_id: state.user_id,
         access_token,
       };
       Ok(Response::new(response))
     } else {
       Err(tonic::Status::not_found("session not found"))
     }
   }
 
   async fn log_in_wallet_user(
     &self,
     request: tonic::Request<WalletLoginRequest>,
   ) -> Result<tonic::Response<WalletLoginResponse>, tonic::Status> {
     let code_version = get_code_version(&request);
     let message = request.into_inner();
 
     let parsed_message = parse_and_verify_siwe_message(
       &message.siwe_message,
       &message.siwe_signature,
     )?;
 
     match self
       .client
       .get_nonce_from_nonces_table(&parsed_message.nonce)
       .await
       .map_err(handle_db_error)?
     {
       None => return Err(tonic::Status::invalid_argument("invalid nonce")),
+      Some(nonce) if nonce.is_expired() => {
+        // we don't need to remove the nonce from the table here
+        // because the DynamoDB TTL will take care of it
+        return Err(tonic::Status::aborted("nonce expired"));
+      }
       Some(_) => self
         .client
         .remove_nonce_from_nonces_table(&parsed_message.nonce)
         .await
         .map_err(handle_db_error)?,
     };
 
     let wallet_address = eip55(&parsed_message.address);
 
     let flattened_device_key_upload =
       construct_flattened_device_key_upload(&message)?;
 
     let social_proof = message
       .social_proof()?
       .ok_or_else(|| tonic::Status::invalid_argument("malformed payload"))?;
 
     let login_time = chrono::Utc::now();
     let user_id = match self
       .client
       .get_user_id_from_user_info(wallet_address.clone(), &AuthType::Wallet)
       .await
       .map_err(handle_db_error)?
     {
       Some(id) => {
         // User already exists, so we should update the DDB item
         self
           .client
           .add_user_device(
             id.clone(),
             flattened_device_key_upload.clone(),
             code_version,
             chrono::Utc::now(),
           )
           .await
           .map_err(handle_db_error)?;
         id
       }
       None => {
         // It's possible that the user attempting login is already registered
         // on Ashoat's keyserver. If they are, we should send back a gRPC status
         // code instructing them to get a signed message from Ashoat's keyserver
         // in order to claim their wallet address and register with the Identity
         // service.
         let username_in_reserved_usernames_table = self
           .client
           .username_in_reserved_usernames_table(&wallet_address)
           .await
           .map_err(handle_db_error)?;
 
         if username_in_reserved_usernames_table {
           return Err(tonic::Status::failed_precondition(
             "need keyserver message to claim username",
           ));
         }
 
         // User doesn't exist yet and wallet address isn't reserved, so we
         // should add a new user in DDB
         self
           .client
           .add_wallet_user_to_users_table(
             flattened_device_key_upload.clone(),
             wallet_address,
             social_proof,
             None,
             code_version,
             login_time,
           )
           .await
           .map_err(handle_db_error)?
       }
     };
 
     // Create access token
     let token = AccessTokenData::with_created_time(
       user_id.clone(),
       flattened_device_key_upload.device_id_key,
       login_time,
       crate::token::AuthType::Password,
       &mut OsRng,
     );
 
     let access_token = token.access_token.clone();
 
     self
       .client
       .put_access_token_data(token)
       .await
       .map_err(handle_db_error)?;
 
     let response = WalletLoginResponse {
       user_id,
       access_token,
     };
     Ok(Response::new(response))
   }
 
   async fn log_in_reserved_wallet_user(
     &self,
     request: tonic::Request<ReservedWalletLoginRequest>,
   ) -> Result<tonic::Response<WalletLoginResponse>, tonic::Status> {
     let code_version = get_code_version(&request);
     let message = request.into_inner();
 
     let parsed_message = parse_and_verify_siwe_message(
       &message.siwe_message,
       &message.siwe_signature,
     )?;
 
     match self
       .client
       .get_nonce_from_nonces_table(&parsed_message.nonce)
       .await
       .map_err(handle_db_error)?
     {
       None => return Err(tonic::Status::invalid_argument("invalid nonce")),
       Some(_) => self
         .client
         .remove_nonce_from_nonces_table(&parsed_message.nonce)
         .await
         .map_err(handle_db_error)?,
     };
 
     let wallet_address = eip55(&parsed_message.address);
 
     self.check_wallet_address_taken(&wallet_address).await?;
 
     let wallet_address_in_reserved_usernames_table = self
       .client
       .username_in_reserved_usernames_table(&wallet_address)
       .await
       .map_err(handle_db_error)?;
     if !wallet_address_in_reserved_usernames_table {
       return Err(tonic::Status::permission_denied(
         "wallet address not reserved",
       ));
     }
 
     let user_id = validate_account_ownership_message_and_get_user_id(
       &wallet_address,
       &message.keyserver_message,
       &message.keyserver_signature,
     )?;
 
     let flattened_device_key_upload =
       construct_flattened_device_key_upload(&message)?;
 
     let social_proof = message
       .social_proof()?
       .ok_or_else(|| tonic::Status::invalid_argument("malformed payload"))?;
 
     let login_time = chrono::Utc::now();
     self
       .client
       .add_wallet_user_to_users_table(
         flattened_device_key_upload.clone(),
         wallet_address,
         social_proof,
         Some(user_id.clone()),
         code_version,
         login_time,
       )
       .await
       .map_err(handle_db_error)?;
 
     let token = AccessTokenData::with_created_time(
       user_id.clone(),
       flattened_device_key_upload.device_id_key,
       login_time,
       crate::token::AuthType::Password,
       &mut OsRng,
     );
 
     let access_token = token.access_token.clone();
 
     self
       .client
       .put_access_token_data(token)
       .await
       .map_err(handle_db_error)?;
 
     let response = WalletLoginResponse {
       user_id,
       access_token,
     };
 
     Ok(Response::new(response))
   }
 
   async fn generate_nonce(
     &self,
     _request: tonic::Request<Empty>,
   ) -> Result<tonic::Response<GenerateNonceResponse>, tonic::Status> {
     let nonce_data = generate_nonce_data(&mut OsRng);
     match self
       .client
       .add_nonce_to_nonces_table(nonce_data.clone())
       .await
     {
       Ok(_) => Ok(Response::new(GenerateNonceResponse {
         nonce: nonce_data.nonce,
       })),
       Err(e) => Err(handle_db_error(e)),
     }
   }
 
   async fn verify_user_access_token(
     &self,
     request: tonic::Request<VerifyUserAccessTokenRequest>,
   ) -> Result<tonic::Response<VerifyUserAccessTokenResponse>, tonic::Status> {
     let message = request.into_inner();
     debug!("Verifying device: {}", &message.device_id);
 
     let token_valid = self
       .client
       .verify_access_token(
         message.user_id,
         message.device_id.clone(),
         message.access_token,
       )
       .await
       .map_err(handle_db_error)?;
 
     let response = Response::new(VerifyUserAccessTokenResponse { token_valid });
     debug!(
       "device {} was verified: {}",
       &message.device_id, token_valid
     );
     Ok(response)
   }
 
   async fn add_reserved_usernames(
     &self,
     request: tonic::Request<AddReservedUsernamesRequest>,
   ) -> Result<tonic::Response<Empty>, tonic::Status> {
     let message = request.into_inner();
 
     let user_details = validate_add_reserved_usernames_message(
       &message.message,
       &message.signature,
     )?;
 
     let filtered_user_details = self
       .client
       .filter_out_taken_usernames(user_details)
       .await
       .map_err(handle_db_error)?;
 
     self
       .client
       .add_usernames_to_reserved_usernames_table(filtered_user_details)
       .await
       .map_err(handle_db_error)?;
 
     let response = Response::new(Empty {});
     Ok(response)
   }
 
   async fn remove_reserved_username(
     &self,
     request: tonic::Request<RemoveReservedUsernameRequest>,
   ) -> Result<tonic::Response<Empty>, tonic::Status> {
     let message = request.into_inner();
 
     let username = validate_remove_reserved_username_message(
       &message.message,
       &message.signature,
     )?;
 
     self
       .client
       .delete_username_from_reserved_usernames_table(username)
       .await
       .map_err(handle_db_error)?;
 
     let response = Response::new(Empty {});
     Ok(response)
   }
 
   async fn ping(
     &self,
     _request: tonic::Request<Empty>,
   ) -> Result<Response<Empty>, tonic::Status> {
     let response = Response::new(Empty {});
     Ok(response)
   }
 }
 
 impl ClientService {
   async fn check_username_taken(
     &self,
     username: &str,
   ) -> Result<(), tonic::Status> {
     let username_taken = self
       .client
       .username_taken(username.to_string())
       .await
       .map_err(handle_db_error)?;
     if username_taken {
       return Err(tonic::Status::already_exists("username already exists"));
     }
     Ok(())
   }
 
   async fn check_wallet_address_taken(
     &self,
     wallet_address: &str,
   ) -> Result<(), tonic::Status> {
     let wallet_address_taken = self
       .client
       .wallet_address_taken(wallet_address.to_string())
       .await
       .map_err(handle_db_error)?;
     if wallet_address_taken {
       return Err(tonic::Status::already_exists(
         "wallet address already exists",
       ));
     }
     Ok(())
   }
 }
 
 #[tonic::async_trait]
 pub trait CacheExt<T> {
   async fn insert_with_uuid_key(&self, value: T) -> String;
 }
 
 #[tonic::async_trait]
 impl<T> CacheExt<T> for Cache<String, T>
 where
   T: Clone + Send + Sync + 'static,
 {
   async fn insert_with_uuid_key(&self, value: T) -> String {
     let session_id = generate_uuid();
     self.insert(session_id.clone(), value).await;
     session_id
   }
 }
 
 pub fn handle_db_error(db_error: DBError) -> tonic::Status {
   match db_error {
     DBError::AwsSdk(DynamoDBError::InternalServerError(_))
     | DBError::AwsSdk(DynamoDBError::ProvisionedThroughputExceededException(
       _,
     ))
     | DBError::AwsSdk(DynamoDBError::RequestLimitExceeded(_)) => {
       tonic::Status::unavailable("please retry")
     }
     e => {
       error!("Encountered an unexpected error: {}", e);
       tonic::Status::failed_precondition("unexpected error")
     }
   }
 }
 
 fn construct_user_registration_info(
   message: &impl DeviceKeyUploadActions,
   user_id: Option<String>,
   username: String,
 ) -> Result<UserRegistrationInfo, tonic::Status> {
   Ok(UserRegistrationInfo {
     username,
     flattened_device_key_upload: construct_flattened_device_key_upload(
       message,
     )?,
     user_id,
   })
 }
 
 fn construct_user_login_info(
   message: &impl DeviceKeyUploadActions,
   user_id: String,
   opaque_server_login: comm_opaque2::server::Login,
 ) -> Result<UserLoginInfo, tonic::Status> {
   Ok(UserLoginInfo {
     user_id,
     flattened_device_key_upload: construct_flattened_device_key_upload(
       message,
     )?,
     opaque_server_login,
   })
 }
 
 fn construct_flattened_device_key_upload(
   message: &impl DeviceKeyUploadActions,
 ) -> Result<FlattenedDeviceKeyUpload, tonic::Status> {
   let key_info = KeyPayload::from_str(&message.payload()?)
     .map_err(|_| tonic::Status::invalid_argument("malformed payload"))?;
 
   let flattened_device_key_upload = FlattenedDeviceKeyUpload {
     device_id_key: key_info.primary_identity_public_keys.ed25519,
     key_payload: message.payload()?,
     key_payload_signature: message.payload_signature()?,
     content_prekey: message.content_prekey()?,
     content_prekey_signature: message.content_prekey_signature()?,
     content_one_time_keys: message.one_time_content_prekeys()?,
     notif_prekey: message.notif_prekey()?,
     notif_prekey_signature: message.notif_prekey_signature()?,
     notif_one_time_keys: message.one_time_notif_prekeys()?,
     device_type: DeviceType::try_from(DBDeviceTypeInt(message.device_type()?))
       .map_err(handle_db_error)?,
   };
 
   Ok(flattened_device_key_upload)
 }
 
 fn get_code_version<T: std::fmt::Debug>(req: &tonic::Request<T>) -> u64 {
   get_value(req, request_metadata::CODE_VERSION)
     .and_then(|version| version.parse().ok())
     .unwrap_or_else(|| {
       warn!(
         "Could not retrieve code version from request: {:?}. Defaulting to 0",
         req
       );
       Default::default()
     })
 }
diff --git a/services/identity/src/constants.rs b/services/identity/src/constants.rs
index 9c908c78c..9dac0a506 100644
--- a/services/identity/src/constants.rs
+++ b/services/identity/src/constants.rs
@@ -1,219 +1,219 @@
 use tokio::time::Duration;
 
 // Secrets
 
 pub const SECRETS_DIRECTORY: &str = "secrets";
 pub const SECRETS_SETUP_FILE: &str = "server_setup.txt";
 
 // DynamoDB
 
 // User table information, supporting opaque_ke 2.0 and X3DH information
 
 // Users can sign in either through username+password or Eth wallet.
 //
 // This structure should be aligned with the messages defined in
 // shared/protos/identity_unauthenticated.proto
 //
 // Structure for a user should be:
 // {
 //   userID: String,
 //   opaqueRegistrationData: Option<String>,
 //   username: Option<String>,
 //   walletAddress: Option<String>,
 //   devices: HashMap<String, Device>
 // }
 //
 // A device is defined as:
 // {
 //     deviceType: String, # client or keyserver
 //     keyPayload: String,
 //     keyPayloadSignature: String,
 //     identityPreKey: String,
 //     identityPreKeySignature: String,
 //     identityOneTimeKeys: Vec<String>,
 //     notifPreKey: String,
 //     notifPreKeySignature: String,
 //     notifOneTimeKeys: Vec<String>,
 //     socialProof: Option<String>
 //   }
 // }
 //
 // Additional context:
 // "devices" uses the signing public identity key of the device as a key for the devices map
 // "keyPayload" is a JSON encoded string containing identity and notif keys (both signature and verification)
 // if "deviceType" == "keyserver", then the device will not have any notif key information
 
 pub const USERS_TABLE: &str = "identity-users";
 pub const USERS_TABLE_PARTITION_KEY: &str = "userID";
 pub const USERS_TABLE_REGISTRATION_ATTRIBUTE: &str = "opaqueRegistrationData";
 pub const USERS_TABLE_USERNAME_ATTRIBUTE: &str = "username";
 pub const USERS_TABLE_DEVICES_MAP_DEVICE_TYPE_ATTRIBUTE_NAME: &str =
   "deviceType";
 pub const USERS_TABLE_WALLET_ADDRESS_ATTRIBUTE: &str = "walletAddress";
 pub const USERS_TABLE_SOCIAL_PROOF_ATTRIBUTE_NAME: &str = "socialProof";
 pub const USERS_TABLE_DEVICELIST_TIMESTAMP_ATTRIBUTE_NAME: &str =
   "deviceListTimestamp";
 pub const USERS_TABLE_USERNAME_INDEX: &str = "username-index";
 pub const USERS_TABLE_WALLET_ADDRESS_INDEX: &str = "walletAddress-index";
 
 pub const ACCESS_TOKEN_TABLE: &str = "identity-tokens";
 pub const ACCESS_TOKEN_TABLE_PARTITION_KEY: &str = "userID";
 pub const ACCESS_TOKEN_SORT_KEY: &str = "signingPublicKey";
 pub const ACCESS_TOKEN_TABLE_CREATED_ATTRIBUTE: &str = "created";
 pub const ACCESS_TOKEN_TABLE_AUTH_TYPE_ATTRIBUTE: &str = "authType";
 pub const ACCESS_TOKEN_TABLE_VALID_ATTRIBUTE: &str = "valid";
 pub const ACCESS_TOKEN_TABLE_TOKEN_ATTRIBUTE: &str = "token";
 
 pub const NONCE_TABLE: &str = "identity-nonces";
 pub const NONCE_TABLE_PARTITION_KEY: &str = "nonce";
 pub const NONCE_TABLE_CREATED_ATTRIBUTE: &str = "created";
 pub const NONCE_TABLE_EXPIRATION_TIME_ATTRIBUTE: &str = "expirationTime";
 pub const NONCE_TABLE_EXPIRATION_TIME_UNIX_ATTRIBUTE: &str =
   "expirationTimeUnix";
 
 // Usernames reserved because they exist in Ashoat's keyserver already
 pub const RESERVED_USERNAMES_TABLE: &str = "identity-reserved-usernames";
 pub const RESERVED_USERNAMES_TABLE_PARTITION_KEY: &str = "username";
 pub const RESERVED_USERNAMES_TABLE_USER_ID_ATTRIBUTE: &str = "userID";
 
 pub mod devices_table {
   /// table name
   pub const NAME: &str = "identity-devices";
   pub const TIMESTAMP_INDEX_NAME: &str = "deviceList-timestamp-index";
 
   /// partition key
   pub const ATTR_USER_ID: &str = "userID";
   /// sort key
   pub const ATTR_ITEM_ID: &str = "itemID";
 
   // itemID prefixes (one shouldn't be a prefix of the other)
   pub const DEVICE_ITEM_KEY_PREFIX: &str = "device-";
   pub const DEVICE_LIST_KEY_PREFIX: &str = "devicelist-";
 
   // device-specific attrs
   pub const ATTR_DEVICE_TYPE: &str = "deviceType";
   pub const ATTR_DEVICE_KEY_INFO: &str = "deviceKeyInfo";
   pub const ATTR_CONTENT_PREKEY: &str = "contentPreKey";
   pub const ATTR_NOTIF_PREKEY: &str = "notifPreKey";
 
   // IdentityKeyInfo constants
   pub const ATTR_KEY_PAYLOAD: &str = "keyPayload";
   pub const ATTR_KEY_PAYLOAD_SIGNATURE: &str = "keyPayloadSignature";
 
   // PreKey constants
   pub const ATTR_PREKEY: &str = "preKey";
   pub const ATTR_PREKEY_SIGNATURE: &str = "preKeySignature";
 
   // device-list-specific attrs
   pub const ATTR_TIMESTAMP: &str = "timestamp";
   pub const ATTR_DEVICE_IDS: &str = "deviceIDs";
 
   // migration-specific attrs
   pub const ATTR_CODE_VERSION: &str = "codeVersion";
   pub const ATTR_LOGIN_TIME: &str = "loginTime";
 }
 
 // One time keys table, which need to exist in their own table to ensure
 // atomicity of additions and removals
 pub mod one_time_keys_table {
   // The `PARTITION_KEY` will contain "notification_${deviceID}" or
   // "content_${deviceID}" to allow for both key sets to coexist in the same table
   pub const NAME: &str = "identity-one-time-keys";
   pub const PARTITION_KEY: &str = "deviceID";
   pub const DEVICE_ID: &str = PARTITION_KEY;
   pub const SORT_KEY: &str = "oneTimeKey";
   pub const ONE_TIME_KEY: &str = SORT_KEY;
 }
 
 // One-time key constants for device info map
 pub const CONTENT_ONE_TIME_KEY: &str = "contentOneTimeKey";
 pub const NOTIF_ONE_TIME_KEY: &str = "notifOneTimeKey";
 
 // Tokio
 
 pub const MPSC_CHANNEL_BUFFER_CAPACITY: usize = 1;
 pub const IDENTITY_SERVICE_SOCKET_ADDR: &str = "[::]:50054";
 pub const IDENTITY_SERVICE_WEBSOCKET_ADDR: &str = "[::]:51004";
 
 pub const SOCKET_HEARTBEAT_TIMEOUT: Duration = Duration::from_secs(3);
 
 // Token
 
 pub const ACCESS_TOKEN_LENGTH: usize = 512;
 
 // Temporary config
 
 pub const AUTH_TOKEN: &str = "COMM_IDENTITY_SERVICE_AUTH_TOKEN";
 pub const KEYSERVER_PUBLIC_KEY: &str = "KEYSERVER_PUBLIC_KEY";
 
 // Nonce
 
 pub const NONCE_LENGTH: usize = 17;
-pub const NONCE_TTL_DURATION: i64 = 30;
+pub const NONCE_TTL_DURATION: i64 = 120; // seconds
 
 // Identity
 
 pub const DEFAULT_IDENTITY_ENDPOINT: &str = "http://localhost:50054";
 
 // LocalStack
 
 pub const LOCALSTACK_ENDPOINT: &str = "LOCALSTACK_ENDPOINT";
 
 // OPAQUE Server Setup
 
 pub const OPAQUE_SERVER_SETUP: &str = "OPAQUE_SERVER_SETUP";
 
 // Opensearch Domain
 
 pub const OPENSEARCH_ENDPOINT: &str = "OPENSEARCH_ENDPOINT";
 pub const DEFAULT_OPENSEARCH_ENDPOINT: &str =
   "identity-search-domain.us-east-2.opensearch.localhost.local
 stack.cloud:4566";
 
 // Tunnelbroker
 pub const TUNNELBROKER_GRPC_ENDPOINT: &str = "TUNNELBROKER_GRPC_ENDPOINT";
 pub const DEFAULT_TUNNELBROKER_ENDPOINT: &str = "http://localhost:50051";
 
 // X3DH key management
 
 // Threshold for requesting more one_time keys
 pub const ONE_TIME_KEY_MINIMUM_THRESHOLD: usize = 5;
 // Number of keys to be refreshed when below the threshold
 pub const ONE_TIME_KEY_REFRESH_NUMBER: u32 = 5;
 
 // Minimum supported code versions
 
 pub const MIN_SUPPORTED_NATIVE_VERSION: u64 = 270;
 
 // Request metadata
 
 pub mod request_metadata {
   pub const CODE_VERSION: &str = "code_version";
   pub const DEVICE_TYPE: &str = "device_type";
   pub const USER_ID: &str = "user_id";
   pub const DEVICE_ID: &str = "device_id";
   pub const ACCESS_TOKEN: &str = "access_token";
 }
 
 // CORS
 
 pub mod cors {
   use std::time::Duration;
 
   pub const DEFAULT_MAX_AGE: Duration = Duration::from_secs(24 * 60 * 60);
   pub const DEFAULT_EXPOSED_HEADERS: [&str; 3] =
     ["grpc-status", "grpc-message", "grpc-status-details-bin"];
   pub const DEFAULT_ALLOW_HEADERS: [&str; 9] = [
     "x-grpc-web",
     "content-type",
     "x-user-agent",
     "grpc-timeout",
     super::request_metadata::CODE_VERSION,
     super::request_metadata::DEVICE_TYPE,
     super::request_metadata::USER_ID,
     super::request_metadata::DEVICE_ID,
     super::request_metadata::ACCESS_TOKEN,
   ];
   pub const DEFAULT_ALLOW_ORIGIN: [&str; 2] =
     ["https://web.comm.app", "http://localhost:3000"];
 }
diff --git a/services/identity/src/nonce.rs b/services/identity/src/nonce.rs
index 51de5ebee..b7d99737c 100644
--- a/services/identity/src/nonce.rs
+++ b/services/identity/src/nonce.rs
@@ -1,26 +1,32 @@
 use chrono::{DateTime, Duration, Utc};
 use rand::{
   distributions::{Alphanumeric, DistString},
   CryptoRng, Rng,
 };
 
 use crate::constants::NONCE_LENGTH;
 use crate::constants::NONCE_TTL_DURATION;
 
 pub fn generate_nonce_data(rng: &mut (impl Rng + CryptoRng)) -> NonceData {
   let nonce = Alphanumeric.sample_string(rng, NONCE_LENGTH);
   let created = Utc::now();
-  let expiration_time = created + Duration::minutes(NONCE_TTL_DURATION);
+  let expiration_time = created + Duration::seconds(NONCE_TTL_DURATION);
   NonceData {
     nonce,
     created,
     expiration_time,
   }
 }
 
 #[derive(Clone)]
 pub struct NonceData {
   pub nonce: String,
   pub created: DateTime<Utc>,
   pub expiration_time: DateTime<Utc>,
 }
+
+impl NonceData {
+  pub fn is_expired(&self) -> bool {
+    Utc::now() > self.expiration_time
+  }
+}