diff --git a/restheart-mongo/docker-compose.yml b/restheart-mongo/docker-compose.yml
index 44797e9c..e5e0a8e6 100644
--- a/restheart-mongo/docker-compose.yml
+++ b/restheart-mongo/docker-compose.yml
@@ -27,7 +27,7 @@ services:
       # --freezeTime keeps `exp` valid. Pinning the secret keeps
       # the bearer signature verifiable across record→replay
       # container restarts (deterministic key, deterministic JWT).
-      RHO: '/mclient/connection-string->"mongodb://${RESTHEART_MONGO_IP:-172.36.0.10}:27017";/http-listener/host->"0.0.0.0";/core/log-level->"INFO";/jwtConfigProvider/key->"keploy-fixed-jwt-secret-for-deterministic-recordings";/mongoAclAuthorizer/cache-enabled->false'
+      RHO: '/mclient/connection-string->"mongodb://${RESTHEART_MONGO_IP:-172.36.0.10}:27017";/http-listener/host->"0.0.0.0";/core/log-level->"INFO";/jwtConfigProvider/key->"keploy-fixed-jwt-secret-for-deterministic-recordings";/mongoAclAuthorizer/cache-enabled->false;/graphql/app-cache-enabled->false'
       # Bound RESTHeart's JVM heap. RESTHeart 9.x's default uses
       # `MaxRAMPercentage=25` of cgroup memory, which on a typical
       # Woodpecker runner cgroup (~8GB) lands ~2GB heap. With three
@@ -59,6 +59,22 @@ services:
       # despite recorded 200. Disabling the cache makes ACL rules
       # read-through from mongo on every request — small perf cost,
       # but eliminates the time-freeze x cache-ttl interaction.
+      #
+      # Note on /graphql/app-cache-enabled->false in RHO:
+      # RESTHeart's GraphQL service caches gql-apps app definitions with a
+      # 60s time-to-revalidate (app-cache-ttr, Caffeine, nanoTime ticker) —
+      # the SAME time-freeze x cache-ttl interaction as the ACL cache above.
+      # flow.sh POSTs a "halpeople" GraphQL app to gql-apps and then fires
+      # POST /graphql/halpeople queries. At record the wall clock advances,
+      # so the app cache revalidates (re-reading gql-apps) at TTR
+      # boundaries; under `keploy test --freezeTime` the ticker is frozen so
+      # the cache never revalidates, producing a DIFFERENT number/order of
+      # `find gql-apps` mongo queries than were recorded. The unmatched
+      # find has no recorded mock -> keploy's mongo proxy closes the socket
+      # -> RESTHeart returns 500 (MongoSocketReadException) instead of the
+      # recorded response (the post-graphql-halpeople flakiness). Disabling
+      # the app cache makes gql-apps read-through on every request, so the
+      # mongo query stream is identical at record and replay.
     depends_on:
       mongo:
         condition: service_healthy
diff --git a/restheart-mongo/keploy.yml.template b/restheart-mongo/keploy.yml.template
index a16bc5e2..8b5a3736 100644
--- a/restheart-mongo/keploy.yml.template
+++ b/restheart-mongo/keploy.yml.template
@@ -61,3 +61,10 @@ test:
         client_ip: []
         latencyMs: []
         access_token: []
+        # RESTHeart's /tokens endpoint returns expires_in = seconds until
+        # the JWT `exp`, computed as (exp - now) at request time. Even under
+        # --freezeTime the recorded vs replayed value can differ by 1s when
+        # the request straddles a second boundary (observed 872 vs 871 on
+        # post-token), so the countdown must be treated as noise just like
+        # the access_token JWT itself.
+        expires_in: []