diff --git a/src/GoTrueClient.ts b/src/GoTrueClient.ts
index 371dba9c9..cc1b19a38 100644
--- a/src/GoTrueClient.ts
+++ b/src/GoTrueClient.ts
@@ -486,7 +486,7 @@ export default class GoTrueClient {
     await removeItemAsync(this.storage, `${this.storageKey}-code-verifier`)
     if (error) {
       return { data: { user: null, session: null }, error }
-    } else if (!data || !data.session || !data.user) {
+    } else if (!data || !data.session || !data.user || !data.expires_at) {
       return { data: { user: null, session: null }, error: new AuthInvalidTokenResponseError() }
     }
     if (data.session) {
@@ -521,7 +521,7 @@ export default class GoTrueClient {
       const { data, error } = res
       if (error) {
         return { data: { user: null, session: null }, error }
-      } else if (!data || !data.session || !data.user) {
+      } else if (!data || !data.session || !data.user || !data.expires_at) {
         return {
           data: { user: null, session: null },
           error: new AuthInvalidTokenResponseError(),
@@ -1491,7 +1491,13 @@ export default class GoTrueClient {
       this.inMemorySession = session
     }
 
-    if (this.persistSession && session.expires_at) {
+    if (this.persistSession) {
+      if (!session.expires_at) {
+        throw new Error(
+          `GoTrueClient#_saveSession() requires a session with the expires_at field set`
+        )
+      }
+
       await this._persistSession(session)
     }
   }
@@ -1852,8 +1858,8 @@ export default class GoTrueClient {
       }
 
       await this._saveSession({
-        expires_at: Math.round(Date.now() / 1000) + data.expires_in,
         ...data,
+        expires_at: Math.round(Date.now() / 1000) + data.expires_in,
       })
       await this._notifyAllSubscribers('MFA_CHALLENGE_VERIFIED', data)