diff --git a/apps/emqx_dashboard/src/emqx_dashboard.erl b/apps/emqx_dashboard/src/emqx_dashboard.erl
index 8c9c471f8..4f9e34238 100644
--- a/apps/emqx_dashboard/src/emqx_dashboard.erl
+++ b/apps/emqx_dashboard/src/emqx_dashboard.erl
@@ -210,6 +210,11 @@ filter_false(K, V, S) -> [{K, V} | S].
 listener_name(Protocol) ->
     list_to_atom(atom_to_list(Protocol) ++ ":dashboard").
 
+-if(?EMQX_RELEASE_EDITION =/= ee).
+%% dialyzer complains about the `unauthorized_role' clause...
+-dialyzer({no_match, [authorize/1]}).
+-endif.
+
 authorize(Req) ->
     case cowboy_req:parse_header(<<"authorization">>, Req) of
         {basic, Username, Password} ->
diff --git a/apps/emqx_dashboard/src/emqx_dashboard_admin.erl b/apps/emqx_dashboard/src/emqx_dashboard_admin.erl
index 3ae2a33e1..cf05b1f9f 100644
--- a/apps/emqx_dashboard/src/emqx_dashboard_admin.erl
+++ b/apps/emqx_dashboard/src/emqx_dashboard_admin.erl
@@ -374,6 +374,10 @@ sign_token(Username, Password) ->
             Error
     end.
 
+-spec verify_token(_, Token :: binary()) ->
+    Result ::
+        {ok, binary()}
+        | {error, token_timeout | not_found | unauthorized_role}.
 verify_token(Req, Token) ->
     emqx_dashboard_token:verify(Req, Token).
 
diff --git a/apps/emqx_dashboard/src/emqx_dashboard_token.erl b/apps/emqx_dashboard/src/emqx_dashboard_token.erl
index dec6894dd..38856e7c7 100644
--- a/apps/emqx_dashboard/src/emqx_dashboard_token.erl
+++ b/apps/emqx_dashboard/src/emqx_dashboard_token.erl
@@ -122,23 +122,16 @@ do_sign(#?ADMIN{username = Username} = User, Password) ->
     _ = mria:transaction(?DASHBOARD_SHARD, fun mnesia:write/1, [JWTRec]),
     {ok, Token}.
 
+-spec do_verify(_, Token :: binary()) ->
+    Result ::
+        {ok, binary()}
+        | {error, token_timeout | not_found | unauthorized_role}.
 do_verify(Req, Token) ->
     case lookup(Token) of
-        {ok, JWT = #?ADMIN_JWT{exptime = ExpTime, extra = Extra, username = Username}} ->
+        {ok, JWT = #?ADMIN_JWT{exptime = ExpTime, extra = _Extra, username = _Username}} ->
             case ExpTime > erlang:system_time(millisecond) of
                 true ->
-                    case check_rbac(Req, Extra) of
-                        true ->
-                            NewJWT = JWT#?ADMIN_JWT{exptime = jwt_expiration_time()},
-                            {atomic, Res} = mria:transaction(
-                                ?DASHBOARD_SHARD,
-                                fun mnesia:write/1,
-                                [NewJWT]
-                            ),
-                            {Res, Username};
-                        _ ->
-                            {error, unauthorized_role}
-                    end;
+                    check_rbac(Req, JWT);
                 _ ->
                     {error, token_timeout}
             end;
@@ -254,15 +247,28 @@ clean_expired_jwt(Now) ->
     ok = destroy(JWTList).
 
 -if(?EMQX_RELEASE_EDITION == ee).
-check_rbac(Req, Extra) ->
-    emqx_dashboard_rbac:check_rbac(Req, Extra).
+check_rbac(Req, JWT) ->
+    #?ADMIN_JWT{exptime = _ExpTime, extra = Extra, username = _Username} = JWT,
+    case emqx_dashboard_rbac:check_rbac(Req, Extra) of
+        true ->
+            save_new_jwt(JWT);
+        _ ->
+            {error, unauthorized_role}
+    end.
 
 -else.
 
--dialyzer({nowarn_function, [check_rbac/2]}).
--dialyzer({no_match, [do_verify/2]}).
-
-check_rbac(_Req, _Extra) ->
-    true.
+check_rbac(_Req, JWT) ->
+    save_new_jwt(JWT).
 
 -endif.
+
+save_new_jwt(OldJWT) ->
+    #?ADMIN_JWT{exptime = _ExpTime, extra = _Extra, username = Username} = OldJWT,
+    NewJWT = OldJWT#?ADMIN_JWT{exptime = jwt_expiration_time()},
+    {atomic, Res} = mria:transaction(
+        ?DASHBOARD_SHARD,
+        fun mnesia:write/1,
+        [NewJWT]
+    ),
+    {Res, Username}.