diff --git a/scm-webapp/src/main/java/sonia/scm/security/JwtAccessTokenRefresher.java b/scm-webapp/src/main/java/sonia/scm/security/JwtAccessTokenRefresher.java
index 5efc01a096..ebcf88b346 100644
--- a/scm-webapp/src/main/java/sonia/scm/security/JwtAccessTokenRefresher.java
+++ b/scm-webapp/src/main/java/sonia/scm/security/JwtAccessTokenRefresher.java
@@ -29,6 +29,8 @@ public class JwtAccessTokenRefresher {
     this.clock = clock;
   }
 
+  @SuppressWarnings("squid:S3655") // the refresh expiration cannot be null at the time building the new token, because
+                                   // we checked this before in tokenCanBeRefreshed
   Optional<JwtAccessToken> refresh(JwtAccessToken oldToken) {
     JwtAccessTokenBuilder builder = builderFactory.create();
     Map<String, Object> claims = oldToken.getClaims();