diff --git a/src/GraphQL/Mutations/RefreshToken.php b/src/GraphQL/Mutations/RefreshToken.php
index b8ff022..fcb5ab9 100644
--- a/src/GraphQL/Mutations/RefreshToken.php
+++ b/src/GraphQL/Mutations/RefreshToken.php
@@ -49,9 +49,15 @@ public function parseToken($accessToken)
     {
         // since we are generating the token in an internal request, there
         // is no need to verify signature to extract the sub claim
+        $appKey = explode(':', config('app.key'));
+
+        if (! isset($appKey[1])) {
+            return false;
+        }
+
         $config = Configuration::forSymmetricSigner(
             new Blake2b(),
-            InMemory::plainText('refresh-token')
+            InMemory::base64Encoded($appKey[1])
         );
 
         $token = $config->parser()->parse((string) $accessToken);