diff --git a/auth/token.go b/auth/token.go
index dee53227c04dc1c34af90db07dbede327f92571f..d802a58e12d8af97bb4aa3bab2e436f2cfafef27 100644
--- a/auth/token.go
+++ b/auth/token.go
@@ -17,7 +17,7 @@ import (
 )
 
 const (
-	timestampThreshold = 30 * time.Second
+	TimestampThreshold = 30 * time.Second
 )
 
 var (
@@ -58,7 +58,7 @@ func CheckToken(ctx context.Context, secret string, targetTime time.Time) error
 	}
 
 	if authInfo.Version == "v2" {
-		if v2HmacInfoValid(authInfo.Message, authInfo.SignedMessage, []byte(secret), targetTime, timestampThreshold) {
+		if v2HmacInfoValid(authInfo.Message, authInfo.SignedMessage, []byte(secret), targetTime, TimestampThreshold) {
 			return nil
 		}
 	}
diff --git a/internal/service/repository/replicate.go b/internal/service/repository/replicate.go
index 3952bd2427e4164b13190ab5b109df05a2639d3a..24d1c060bec08c3ffa62cc5d9c6d4371da26de9c 100644
--- a/internal/service/repository/replicate.go
+++ b/internal/service/repository/replicate.go
@@ -8,6 +8,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"time"
 
 	"github.com/grpc-ecosystem/go-grpc-middleware/logging/logrus/ctxlogrus"
 	gitalyauth "gitlab.com/gitlab-org/gitaly/auth"
@@ -261,8 +262,8 @@ func (s *server) getOrCreateConnection(address, token string) (*grpc.ClientConn,
 	cc, ok := s.connsByAddress[address]
 	s.connsMtx.RUnlock()
 
-	if ok {
-		return cc, nil
+	if ok && time.Since(cc.issuedAt) < gitalyauth.TimestampThreshold {
+		return cc.conn, nil
 	}
 
 	s.connsMtx.Lock()
@@ -274,17 +275,17 @@ func (s *server) getOrCreateConnection(address, token string) (*grpc.ClientConn,
 		connOpts = append(connOpts, grpc.WithPerRPCCredentials(gitalyauth.RPCCredentialsV2(token)))
 	}
 
-	cc, ok = s.connsByAddress[address]
-	if ok {
-		return cc, nil
-	}
-
-	cc, err := client.Dial(address, connOpts)
+	clientConn, err := client.Dial(address, connOpts)
 	if err != nil {
 		return nil, fmt.Errorf("could not dial source: %v", err)
 	}
 
-	s.connsByAddress[address] = cc
+	s.connsByAddress[address] = &cachedConn{conn: clientConn, issuedAt: time.Now()}
+
+	return clientConn, nil
+}
 
-	return cc, nil
+type cachedConn struct {
+	conn     *grpc.ClientConn
+	issuedAt time.Time
 }
diff --git a/internal/service/repository/server.go b/internal/service/repository/server.go
index 563b9c2a1c06d156bd22895fd746f16fb19ba93b..f86b20906fcef7aecd8050b49883fe2dc8fa4290 100644
--- a/internal/service/repository/server.go
+++ b/internal/service/repository/server.go
@@ -7,20 +7,19 @@ import (
 	"gitlab.com/gitlab-org/gitaly/internal/helper"
 	"gitlab.com/gitlab-org/gitaly/internal/rubyserver"
 	"gitlab.com/gitlab-org/gitaly/proto/go/gitalypb"
-	"google.golang.org/grpc"
 )
 
 type server struct {
 	ruby *rubyserver.Server
 	gitalypb.UnimplementedRepositoryServiceServer
-	connsByAddress       map[string]*grpc.ClientConn
+	connsByAddress       map[string]*cachedConn
 	connsMtx             sync.RWMutex
 	internalGitalySocket string
 }
 
 // NewServer creates a new instance of a gRPC repo server
 func NewServer(rs *rubyserver.Server, internalGitalySocket string) gitalypb.RepositoryServiceServer {
-	return &server{ruby: rs, connsByAddress: make(map[string]*grpc.ClientConn), internalGitalySocket: internalGitalySocket}
+	return &server{ruby: rs, connsByAddress: make(map[string]*cachedConn), internalGitalySocket: internalGitalySocket}
 }
 
 func (*server) FetchHTTPRemote(context.Context, *gitalypb.FetchHTTPRemoteRequest) (*gitalypb.FetchHTTPRemoteResponse, error) {