diff --git a/spx-gui/package-lock.json b/spx-gui/package-lock.json
index 8af7064aa0..98f3e09be4 100644
--- a/spx-gui/package-lock.json
+++ b/spx-gui/package-lock.json
@@ -44,7 +44,6 @@
         "hast": "^1.0.0",
         "hast-util-raw": "^9.1.0",
         "hast-util-sanitize": "^5.0.2",
-        "jwt-decode": "^4.0.0",
         "konva": "^9.3.1",
         "localforage": "^1.10.0",
         "lodash": "^4.17.21",
diff --git a/spx-gui/package.json b/spx-gui/package.json
index 898991f330..3c1f080953 100644
--- a/spx-gui/package.json
+++ b/spx-gui/package.json
@@ -51,7 +51,6 @@
     "hast": "^1.0.0",
     "hast-util-raw": "^9.1.0",
     "hast-util-sanitize": "^5.0.2",
-    "jwt-decode": "^4.0.0",
     "konva": "^9.3.1",
     "localforage": "^1.10.0",
     "lodash": "^4.17.21",
diff --git a/spx-gui/src/apis/common/client.test.ts b/spx-gui/src/apis/common/client.test.ts
index 447cba80ac..474e7f7874 100644
--- a/spx-gui/src/apis/common/client.test.ts
+++ b/spx-gui/src/apis/common/client.test.ts
@@ -112,4 +112,18 @@ describe('Client', () => {
       expect(globalFetchMock).toHaveBeenCalledTimes(1)
     })
   })
+
+  describe('explicit authorization headers', () => {
+    it('should preserve an explicit Authorization header instead of overwriting it with the token provider', async () => {
+      fetchMock.mockResolvedValueOnce(new Response(JSON.stringify({ username: 'alice' }), { status: 200 }))
+      client.setTokenProvider(async () => 'shared-token')
+
+      await client.get('/user', undefined, {
+        headers: new Headers({ Authorization: 'Bearer direct-token' })
+      })
+
+      const req = fetchMock.mock.calls[0]?.[0] as Request
+      expect(req.headers.get('Authorization')).toBe('Bearer direct-token')
+    })
+  })
 })
diff --git a/spx-gui/src/apis/common/client.ts b/spx-gui/src/apis/common/client.ts
index 27f2ad19e0..14c0b0e9f6 100644
--- a/spx-gui/src/apis/common/client.ts
+++ b/spx-gui/src/apis/common/client.ts
@@ -97,7 +97,7 @@ export class Client {
     options?.signal?.throwIfAborted()
     const headers = options?.headers ?? new Headers()
     if (body != null) headers.set('Content-Type', 'application/json')
-    if (token != null) headers.set('Authorization', `Bearer ${token}`)
+    if (token != null && !headers.has('Authorization')) headers.set('Authorization', `Bearer ${token}`)
     if (sentryTraceHeader != null) headers.set('Sentry-Trace', sentryTraceHeader)
     if (sentryBaggageHeader != null) headers.set('Baggage', sentryBaggageHeader)
     return new Request(url, { method, headers, body })
@@ -143,7 +143,7 @@ export class Client {
     const token = await this.tokenProvider()
     options?.signal?.throwIfAborted()
     const headers = options?.headers ?? new Headers()
-    if (token != null) headers.set('Authorization', `Bearer ${token}`)
+    if (token != null && !headers.has('Authorization')) headers.set('Authorization', `Bearer ${token}`)
     if (sentryTraceHeader != null) headers.set('Sentry-Trace', sentryTraceHeader)
     if (sentryBaggageHeader != null) headers.set('Baggage', sentryBaggageHeader)
     const req = new Request(url, { method, headers, body: payload })
diff --git a/spx-gui/src/apis/user.ts b/spx-gui/src/apis/user.ts
index a7cda5fa20..f0d21074f8 100644
--- a/spx-gui/src/apis/user.ts
+++ b/spx-gui/src/apis/user.ts
@@ -48,8 +48,8 @@ export async function isUsernameTaken(username: string) {
   }
 }
 
-export function getSignedInUser(): Promise<SignedInUser> {
-  return client.get(`/user`) as Promise<SignedInUser>
+export function getSignedInUser(options?: { headers?: Headers }): Promise<SignedInUser> {
+  return client.get(`/user`, undefined, options) as Promise<SignedInUser>
 }
 
 export type UpdateSignedInUserParams = Partial<Pick<User, 'username' | 'displayName' | 'avatar' | 'description'>>
diff --git a/spx-gui/src/pages/sign-in/token.vue b/spx-gui/src/pages/sign-in/token.vue
index 357879f0f4..58c06f13b5 100644
--- a/spx-gui/src/pages/sign-in/token.vue
+++ b/spx-gui/src/pages/sign-in/token.vue
@@ -25,16 +25,14 @@
           html-type="submit"
           :loading="handleSubmit.isLoading.value"
         >
-          {{ buttonText }}
+          {{ $t({ en: 'Sign in', zh: '登录' }) }}
         </UIButton>
       </footer>
     </UIForm>
   </div>
 </template>
 <script setup lang="ts">
-import { computed, ref } from 'vue'
 import { useRouter } from 'vue-router'
-import { jwtDecode } from 'jwt-decode'
 import { useI18n } from '@/utils/i18n'
 import { usePageTitle } from '@/utils/utils'
 import { useMessageHandle } from '@/utils/exception'
@@ -51,36 +49,17 @@ usePageTitle(title)
 const router = useRouter()
 const i18n = useI18n()
 
-const username = ref<string | null>(null)
-const buttonText = computed(() => {
-  if (username.value == null) return i18n.t({ en: 'Sign in', zh: '登录' })
-  return i18n.t({
-    en: `Sign in as ${username.value}`,
-    zh: `以 ${username.value} 登录`
-  })
-})
-
 const form = useForm({
   token: ['', validateToken]
 })
 
 function validateToken(token: string) {
-  username.value = null
   token = token.trim()
   if (token === '')
     return i18n.t({
       en: 'Token is required',
       zh: '请提供 Token'
     })
-  try {
-    const decoded = jwtDecode<{ name: string }>(token)
-    username.value = decoded.name
-  } catch (e) {
-    return i18n.t({
-      en: 'Invalid token: ' + e,
-      zh: '无效的 Token：' + e
-    })
-  }
 }
 
 function handleCancel() {
@@ -90,7 +69,7 @@ function handleCancel() {
 const handleSubmit = useMessageHandle(
   async () => {
     const token = form.value.token.trim()
-    signInWithAccessToken(token)
+    await signInWithAccessToken(token)
     router.push('/')
   },
   {
diff --git a/spx-gui/src/router.ts b/spx-gui/src/router.ts
index d27f5e7893..a15d8af600 100644
--- a/spx-gui/src/router.ts
+++ b/spx-gui/src/router.ts
@@ -11,6 +11,11 @@ export function getProjectEditorRoute(ownerName: string, projectName: string, pu
 }
 
 export function getOwnProjectEditorRoute(projectName: string, publish = false) {
+  // TODO: Remove this helper after splitting "open my project editor" into two layers:
+  // - a pure self-entry route builder like `/editor/:projectName`
+  // - async resolution of the canonical signed-in user at that route boundary
+  // Then navigate to `/editor/:owner/:project` with backend-confirmed signed-in user data,
+  // instead of deriving owner name from unresolved local auth state synchronously.
   const username = getUnresolvedSignedInUsername()
   if (username == null) throw new Error('User not signed in')
   return getProjectEditorRoute(username, projectName, publish)
@@ -136,6 +141,11 @@ const routes: Array<RouteRecordRaw> = [
     path: '/editor/:projectNameInput',
     redirect(to) {
       const { projectNameInput } = to.params
+      // TODO: Replace this synchronous redirect with an async entry boundary (for example `beforeEnter`) that:
+      // - checks/initiates sign-in
+      // - awaits canonical signed-in user data
+      // - redirects to `/editor/:owner/:project`
+      // That would let router stop depending on unresolved local username hints here.
       const username = getUnresolvedSignedInUsername()
       // Route with `redirect` will not trigger the global `beforeEach` guard,
       // so we need to check sign-in status here.
diff --git a/spx-gui/src/stores/following.ts b/spx-gui/src/stores/following.ts
index 04e9e27265..69598bbf32 100644
--- a/spx-gui/src/stores/following.ts
+++ b/spx-gui/src/stores/following.ts
@@ -2,7 +2,7 @@ import { computed, toRef, type WatchSource } from 'vue'
 import { useQueryWithCache, useQueryCache } from '@/utils/query'
 import { useAction } from '@/utils/exception'
 import * as apis from '@/apis/user'
-import { getUnresolvedSignedInUsername } from './user'
+import { useSignedInUser } from './user'
 
 function getFollowingQueryKey(signedInUsernameInput: string | null, username: string) {
   return ['following', signedInUsernameInput, username]
@@ -12,11 +12,12 @@ const staleTime = 5 * 60 * 1000 // 5min
 
 export function useIsFollowing(username: WatchSource<string>) {
   const usernameRef = toRef(username)
-  const queryKey = computed(() => getFollowingQueryKey(getUnresolvedSignedInUsername(), usernameRef.value))
+  const signedInUser = useSignedInUser()
+  const queryKey = computed(() => getFollowingQueryKey(signedInUser.value?.username ?? null, usernameRef.value))
   return useQueryWithCache({
     queryKey,
     async queryFn() {
-      const signedInUsernameInput = getUnresolvedSignedInUsername()
+      const signedInUsernameInput = signedInUser.value?.username ?? null
       if (signedInUsernameInput == null || signedInUsernameInput === usernameRef.value) return false
       return apis.isFollowing(usernameRef.value)
     },
@@ -27,10 +28,11 @@ export function useIsFollowing(username: WatchSource<string>) {
 
 export function useFollow() {
   const queryCache = useQueryCache()
+  const signedInUser = useSignedInUser()
   return useAction(
     async function follow(username: string) {
       await apis.follow(username)
-      const queryKey = getFollowingQueryKey(getUnresolvedSignedInUsername(), username)
+      const queryKey = getFollowingQueryKey(signedInUser.value?.username ?? null, username)
       queryCache.invalidateWithOptimisticValue(queryKey, true)
     },
     { en: 'Failed to follow', zh: '关注用户失败' }
@@ -39,10 +41,11 @@ export function useFollow() {
 
 export function useUnfollow() {
   const queryCache = useQueryCache()
+  const signedInUser = useSignedInUser()
   return useAction(
     async function unfollow(username: string) {
       await apis.unfollow(username)
-      const queryKey = getFollowingQueryKey(getUnresolvedSignedInUsername(), username)
+      const queryKey = getFollowingQueryKey(signedInUser.value?.username ?? null, username)
       queryCache.invalidateWithOptimisticValue(queryKey, false)
     },
     { en: 'Failed to unfollow', zh: '取消关注失败' }
diff --git a/spx-gui/src/stores/liking.ts b/spx-gui/src/stores/liking.ts
index 022d49d1bd..dfe47fb166 100644
--- a/spx-gui/src/stores/liking.ts
+++ b/spx-gui/src/stores/liking.ts
@@ -2,7 +2,7 @@ import { computed, toRef, type WatchSource } from 'vue'
 import { useQueryWithCache, useQueryCache } from '@/utils/query'
 import { useAction } from '@/utils/exception'
 import * as apis from '@/apis/project'
-import { getUnresolvedSignedInUsername, isSignedIn } from './user'
+import { isSignedIn, useSignedInUser } from './user'
 
 function getLikingQueryKey(signedInUsernameInput: string | null, owner: string, name: string) {
   return ['liking', signedInUsernameInput, owner, name]
@@ -12,9 +12,10 @@ const staleTime = 5 * 60 * 1000 // 5min
 
 export function useIsLikingProject(project: WatchSource<{ owner: string; name: string }>) {
   const projectRef = toRef(project)
+  const signedInUser = useSignedInUser()
   const queryKey = computed(() => {
     const { owner, name } = projectRef.value
-    return getLikingQueryKey(getUnresolvedSignedInUsername(), owner, name)
+    return getLikingQueryKey(signedInUser.value?.username ?? null, owner, name)
   })
   return useQueryWithCache({
     queryKey,
@@ -29,10 +30,11 @@ export function useIsLikingProject(project: WatchSource<{ owner: string; name: s
 
 export function useLikeProject() {
   const queryCache = useQueryCache()
+  const signedInUser = useSignedInUser()
   return useAction(
     async function likeProject(owner: string, name: string) {
       await apis.likeProject(owner, name)
-      const queryKey = getLikingQueryKey(getUnresolvedSignedInUsername(), owner, name)
+      const queryKey = getLikingQueryKey(signedInUser.value?.username ?? null, owner, name)
       queryCache.invalidateWithOptimisticValue(queryKey, true)
     },
     { en: 'Failed to like', zh: '标记喜欢失败' }
@@ -41,10 +43,11 @@ export function useLikeProject() {
 
 export function useUnlikeProject() {
   const queryCache = useQueryCache()
+  const signedInUser = useSignedInUser()
   return useAction(
     async function unlikeProject(owner: string, name: string) {
       await apis.unlikeProject(owner, name)
-      const queryKey = getLikingQueryKey(getUnresolvedSignedInUsername(), owner, name)
+      const queryKey = getLikingQueryKey(signedInUser.value?.username ?? null, owner, name)
       queryCache.invalidateWithOptimisticValue(queryKey, false)
     },
     { en: 'Failed to unlike', zh: '取消喜欢失败' }
diff --git a/spx-gui/src/stores/user/signed-in.test.ts b/spx-gui/src/stores/user/signed-in.test.ts
new file mode 100644
index 0000000000..445fec6c4c
--- /dev/null
+++ b/spx-gui/src/stores/user/signed-in.test.ts
@@ -0,0 +1,115 @@
+import { ref, shallowRef } from 'vue'
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
+import { withSetup } from '@/utils/test'
+
+const exchangeForAccessToken = vi.fn()
+const refreshAccessToken = vi.fn()
+const signinRedirect = vi.fn()
+const getSignedInUser = vi.fn()
+const useVueQueryMock = vi.fn()
+
+class MockCasdoorSdk {
+  exchangeForAccessToken() {
+    return exchangeForAccessToken()
+  }
+
+  refreshAccessToken(...args: unknown[]) {
+    return refreshAccessToken(...args)
+  }
+
+  signin_redirect(...args: unknown[]) {
+    return signinRedirect(...args)
+  }
+}
+
+vi.mock('casdoor-js-sdk', () => ({
+  default: MockCasdoorSdk
+}))
+
+vi.mock('@/apis/user', async (importOriginal) => {
+  const actual = await importOriginal<typeof import('@/apis/user')>()
+  return {
+    ...actual,
+    getSignedInUser
+  }
+})
+
+vi.mock('@/utils/query', async (importOriginal) => {
+  const actual = await importOriginal<typeof import('@/utils/query')>()
+  return {
+    ...actual,
+    useQueryWithCache: useVueQueryMock
+  }
+})
+
+describe('signed-in user query key version', () => {
+  beforeEach(() => {
+    localStorage.clear()
+    sessionStorage.clear()
+    exchangeForAccessToken.mockReset()
+    refreshAccessToken.mockReset()
+    signinRedirect.mockReset()
+    getSignedInUser.mockReset()
+    useVueQueryMock.mockReset()
+    useVueQueryMock.mockReturnValue({
+      isLoading: ref(false),
+      data: shallowRef(null),
+      error: shallowRef(null),
+      progress: shallowRef({ percentage: 0, timeLeft: null, desc: null }),
+      refetch: vi.fn()
+    })
+    vi.resetModules()
+  })
+
+  afterEach(async () => {
+    const userStore = await import('./signed-in')
+    userStore.signOut()
+    vi.restoreAllMocks()
+  })
+
+  it('should change the signed-in user query key across sign-in and sign-out transitions', async () => {
+    const userStore = await import('./signed-in')
+    getSignedInUser.mockResolvedValue({ username: 'alice' })
+
+    withSetup(() => userStore.useSignedInUser())
+    expect(useVueQueryMock).toHaveBeenLastCalledWith(expect.objectContaining({ queryKey: expect.any(Object) }))
+    let queryKey = useVueQueryMock.mock.lastCall?.[0]?.queryKey
+    expect(queryKey.value).toEqual(['signed-in-user', 0])
+
+    await userStore.signInWithAccessToken('token-a')
+    withSetup(() => userStore.useSignedInUser())
+    queryKey = useVueQueryMock.mock.lastCall?.[0]?.queryKey
+    expect(queryKey.value).toEqual(['signed-in-user', 1])
+
+    userStore.signOut()
+    withSetup(() => userStore.useSignedInUser())
+    queryKey = useVueQueryMock.mock.lastCall?.[0]?.queryKey
+    expect(queryKey.value).toEqual(['signed-in-user', 2])
+  })
+
+  it('should resolve username from the access token when signing in with a token', async () => {
+    const userStore = await import('./signed-in')
+    getSignedInUser.mockResolvedValue({ username: 'alice' })
+
+    await expect(userStore.signInWithAccessToken('token-a')).resolves.toBeUndefined()
+    expect(userStore.isSignedIn()).toBe(true)
+    expect(userStore.getUnresolvedSignedInUsername()).toBe('alice')
+    expect(getSignedInUser).toHaveBeenCalledWith({
+      headers: new Headers({ Authorization: 'Bearer token-a' })
+    })
+  })
+
+  it('should not bump auth-session version when resolving access token for a guest session', async () => {
+    const userStore = await import('./signed-in')
+
+    withSetup(() => userStore.useSignedInUser())
+    let queryKey = useVueQueryMock.mock.lastCall?.[0]?.queryKey
+    expect(queryKey.value).toEqual(['signed-in-user', 0])
+
+    await expect(userStore.ensureAccessToken()).resolves.toBeNull()
+
+    withSetup(() => userStore.useSignedInUser())
+    queryKey = useVueQueryMock.mock.lastCall?.[0]?.queryKey
+    expect(queryKey.value).toEqual(['signed-in-user', 0])
+  })
+})
diff --git a/spx-gui/src/stores/user/signed-in.ts b/spx-gui/src/stores/user/signed-in.ts
index 19d3573a8d..f197cb6f58 100644
--- a/spx-gui/src/stores/user/signed-in.ts
+++ b/spx-gui/src/stores/user/signed-in.ts
@@ -1,7 +1,6 @@
-import { reactive, watchEffect, computed } from 'vue'
+import { reactive, watchEffect, computed, ref } from 'vue'
 import Sdk from 'casdoor-js-sdk'
 import { casdoorConfig } from '@/utils/env'
-import { jwtDecode } from 'jwt-decode'
 import { useQueryWithCache, useQueryCache, useQuery, composeQuery } from '@/utils/query'
 import { useAction } from '@/utils/exception'
 import * as apis from '@/apis/user'
@@ -20,10 +19,6 @@ const userState = reactive({
   accessToken: null as string | null,
   accessTokenExpiresAt: null as number | null,
   refreshToken: null as string | null,
-  /**
-   * User name parsed from access token, or null if not available.
-   * This is only a hint and should not be treated as canonical backend-confirmed identity.
-   */
   username: null as string | null
 })
 
@@ -41,21 +36,38 @@ interface TokenResponse {
   refresh_token: string
 }
 
-function decodeUsernameFromAccessToken(accessToken: string): string | null {
-  try {
-    const decoded = jwtDecode<{ name?: unknown }>(accessToken)
-    if (typeof decoded.name !== 'string' || decoded.name === '') return null
-    return decoded.name
-  } catch {
-    return null
-  }
+async function fetchSignedInUsernameByAccessToken(accessToken: string) {
+  const user = await apis.getSignedInUser({
+    headers: new Headers({
+      Authorization: `Bearer ${accessToken}`
+    })
+  })
+  return user.username
 }
 
-function handleTokenResponse(resp: TokenResponse) {
+async function handleTokenResponse(resp: TokenResponse) {
+  const username = await fetchSignedInUsernameByAccessToken(resp.access_token)
   userState.accessToken = resp.access_token
   userState.accessTokenExpiresAt = resp.expires_in ? Date.now() + resp.expires_in * 1000 : null
   userState.refreshToken = resp.refresh_token
-  userState.username = decodeUsernameFromAccessToken(resp.access_token)
+  userState.username = username
+}
+
+/**
+ * Monotonic local auth-session version for signed-in-user queries and derived async reads.
+ *
+ * This is bumped whenever local auth state crosses a session boundary, such as sign-in or sign-out.
+ *
+ * It is intentionally different from imperative cache invalidation:
+ * - the version becomes part of the query key, so each auth session gets an isolated cache entry
+ * - derived async reads can compare the captured version before/after awaiting, which prevents stale
+ *   results from an older auth session from being consumed in the current one
+ */
+const authSessionVersion = ref(0)
+
+function bumpAuthSessionVersion() {
+  authSessionVersion.value++
+  return authSessionVersion.value
 }
 
 export function initiateSignIn(
@@ -71,17 +83,29 @@ export function initiateSignIn(
 
 export async function completeSignIn() {
   const resp = await casdoorSdk.exchangeForAccessToken()
-  handleTokenResponse(resp)
+  await handleTokenResponse(resp)
+  bumpAuthSessionVersion()
 }
 
-export function signInWithAccessToken(accessToken: string) {
+export async function signInWithAccessToken(accessToken: string) {
+  const username = await fetchSignedInUsernameByAccessToken(accessToken)
   userState.accessToken = accessToken
   userState.accessTokenExpiresAt = null
   userState.refreshToken = null
-  userState.username = decodeUsernameFromAccessToken(accessToken)
+  userState.username = username
+  bumpAuthSessionVersion()
+}
+
+function hasLocalAuthState() {
+  return userState.accessToken != null || userState.accessTokenExpiresAt != null || userState.refreshToken != null
 }
 
 export function signOut() {
+  // `ensureAccessToken()` is also used by guest/public API requests. If we are already effectively
+  // signed out, returning early avoids bumping `authSessionVersion` for those requests, which would
+  // otherwise retrigger signed-in-state consumers and can cascade into startup update loops.
+  if (!hasLocalAuthState()) return
+  bumpAuthSessionVersion()
   userState.accessToken = null
   userState.accessTokenExpiresAt = null
   userState.refreshToken = null
@@ -96,14 +120,13 @@ export async function ensureAccessToken(): Promise<string | null> {
 
   if (tokenRefreshPromise != null) return tokenRefreshPromise
   if (userState.refreshToken == null) {
-    signOut()
     return null
   }
 
   tokenRefreshPromise = (async () => {
     try {
       const resp = await casdoorSdk.refreshAccessToken(userState.refreshToken!)
-      handleTokenResponse(resp)
+      await handleTokenResponse(resp)
     } catch (e) {
       console.error('failed to refresh access token', e)
       throw e
@@ -136,33 +159,24 @@ export function isSignedIn(): boolean {
 /**
  * Returns the current signed-in username from locally available auth state only.
  *
- * The returned value is unresolved: it comes from the access token,
- * and should not be treated as canonical backend-confirmed identity.
+ * The returned value is unresolved: it comes from local cached state and may lag behind the
+ * canonical signed-in user returned by the backend.
  *
- * Use this only at boundaries that need a synchronous identity hint, such as cache keys, route
- * derivation, or other session-scoping data. Do not use it for behavior-sensitive checks like
- * ownership, permissions, or other logic that should depend on canonical backend data.
+ * Use this only at boundaries that need a synchronous session-scoped identity hint, such as
+ * temporary route derivation or user-scoped storage. Do not use it for behavior-sensitive checks
+ * like ownership, permissions, or other logic that should depend on canonical backend data.
  */
 export function getUnresolvedSignedInUsername(): string | null {
   if (!isSignedIn()) return null
-  if (userState.username != null) return userState.username
-  if (userState.accessToken == null) return null
-  const username = decodeUsernameFromAccessToken(userState.accessToken)
-  if (username == null) return null
-  userState.username = username
-  return username
+  return userState.username
 }
 
 const signedInUserStaleTime = 60 * 1000 // 1min
-
-function getSignedInUserQueryKey() {
-  return [...getUserQueryKey(getUnresolvedSignedInUsername() ?? ''), 'signed-in']
-}
+const signedInUserQueryKey = computed(() => ['signed-in-user', authSessionVersion.value])
 
 function useSignedInUserQuery() {
-  const queryKey = computed(() => getSignedInUserQueryKey())
   return useQueryWithCache({
-    queryKey: queryKey,
+    queryKey: signedInUserQueryKey,
     async queryFn() {
       if (!isSignedIn()) throw new Error('User not signed in')
       return apis.getSignedInUser()
@@ -188,14 +202,16 @@ export type SignedInState =
 /**
  * Get the signed-in state, including whether the user is signed in and the signed-in user information if available.
  * Suitable for scenarios like:
- * - callers need to known whether the user is signed in or not
- * - callers need to acccess the loading or error state of the signed-in user query
+ * - callers need to know whether the user is signed in or not
+ * - callers need to access the loading or error state of the signed-in user query
  */
 export function useSignedInStateQuery() {
   const signedInUserQuery = useSignedInUserQuery()
   return useQuery<SignedInState>(async (ctx) => {
     if (!isSignedIn()) return { isSignedIn: false, user: null }
+    const version = authSessionVersion.value
     const user = await composeQuery(ctx, signedInUserQuery)
+    if (version !== authSessionVersion.value) return { isSignedIn: false, user: null }
     return { isSignedIn: true, user }
   })
 }
@@ -218,9 +234,8 @@ export function useUpdateSignedInUser() {
     async function updateSignedInUser(
       params: Pick<apis.UpdateSignedInUserParams, 'displayName' | 'avatar' | 'description'>
     ) {
-      const unresolvedUsername = getUnresolvedSignedInUsername()
       const updated = await apis.updateSignedInUser(params)
-      if (unresolvedUsername != null) queryCache.invalidate(getUserQueryKey(unresolvedUsername))
+      queryCache.invalidate(signedInUserQueryKey.value)
       queryCache.invalidate(getUserQueryKey(updated.username))
       return updated
     },
@@ -234,16 +249,9 @@ export function useUpdateSignedInUser() {
  * Typically the caller may want to reload the route to trigger navigation guards or initiate sign-in manually.
  */
 export function useModifySignedInUsername() {
-  const queryCache = useQueryCache()
-
   return useAction(
     async function modifySignedInUsername(newUsername: string) {
-      const oldUsername = getUnresolvedSignedInUsername()
-      if (oldUsername == null) throw new Error('Signed-in username is not available')
-
       const updated = await apis.updateSignedInUser({ username: newUsername })
-      queryCache.invalidate(getUserQueryKey(oldUsername))
-      queryCache.invalidate(getUserQueryKey(updated.username))
       signOut()
       return updated
     },