diff --git a/package-lock.json b/package-lock.json
index 562345cd6..642cf039e 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -72,7 +72,7 @@
         "winston": "^3.17.0",
         "winston-transport": "^4.9.0",
         "ws": "^8.18.0",
-        "zod": "^3.23.8"
+        "zod": "^3.25.28"
       },
       "devDependencies": {
         "@babel/core": "^7.25.2",
@@ -21416,9 +21416,9 @@
       }
     },
     "node_modules/zod": {
-      "version": "3.23.8",
-      "resolved": "https://registry.npmjs.org/zod/-/zod-3.23.8.tgz",
-      "integrity": "sha512-XBx9AXhXktjUqnepgTiE5flcKIYWi/rme0Eaj+5Y0lftuGBq+jyRu/md4WnuxqgP1ubdpNCsYEYPxrzVHD8d6g==",
+      "version": "3.25.28",
+      "resolved": "https://registry.npmjs.org/zod/-/zod-3.25.28.tgz",
+      "integrity": "sha512-/nt/67WYKnr5by3YS7LroZJbtcCBurDKKPBPWWzaxvVCGuG/NOsiKkrjoOhI8mJ+SQUXEbUzeB3S+6XDUEEj7Q==",
       "license": "MIT",
       "funding": {
         "url": "https://github.com/sponsors/colinhacks"
diff --git a/package.json b/package.json
index a21f588ec..2e2d02381 100644
--- a/package.json
+++ b/package.json
@@ -143,7 +143,7 @@
     "winston": "^3.17.0",
     "winston-transport": "^4.9.0",
     "ws": "^8.18.0",
-    "zod": "^3.23.8"
+    "zod": "^3.25.28"
   },
   "type": "module"
 }
diff --git a/src/core/Schemas.ts b/src/core/Schemas.ts
index 5d681040e..0b6a6bd4a 100644
--- a/src/core/Schemas.ts
+++ b/src/core/Schemas.ts
@@ -136,33 +136,18 @@ const SafeString = z
   )
   .max(1000);
 
-const jwtRegex = /^[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]*$/;
-// Copied from zod, modified to remove their erroneous `typ` header requirement
-function isValidJWT(jwt: string, alg?: string): boolean {
-  if (!jwtRegex.test(jwt)) return false;
-  try {
-    const [header] = jwt.split(".");
-    // Convert base64url to base64
-    const base64 = header
-      .replace(/-/g, "+")
-      .replace(/_/g, "/")
-      .padEnd(header.length + ((4 - (header.length % 4)) % 4), "=");
-    const decoded = JSON.parse(atob(base64));
-    if (typeof decoded !== "object" || decoded === null) return false;
-    if (!decoded.alg) return false;
-    if (alg && decoded.alg !== alg) return false;
-    return true;
-  } catch {
-    return false;
-  }
-}
-
 const PersistentIdSchema = z.string().uuid();
+const JwtTokenSchema = z.string().jwt();
 const TokenSchema = z
   .string()
-  .refine((v) => PersistentIdSchema.safeParse(v).success || isValidJWT(v), {
-    message: "Token must be a valid UUID or JWT",
-  });
+  .refine(
+    (v) =>
+      PersistentIdSchema.safeParse(v).success ||
+      JwtTokenSchema.safeParse(v).success,
+    {
+      message: "Token must be a valid UUID or JWT",
+    },
+  );
 
 const EmojiSchema = z
   .number()