diff --git a/packages/core/auth-js/src/GoTrueClient.ts b/packages/core/auth-js/src/GoTrueClient.ts
index f23bc954e..f86ad5a00 100644
--- a/packages/core/auth-js/src/GoTrueClient.ts
+++ b/packages/core/auth-js/src/GoTrueClient.ts
@@ -3649,8 +3649,8 @@ export default class GoTrueClient {
         raw: { header: rawHeader, payload: rawPayload },
       } = decodeJWT(token)
 
-      if (!options?.allowExpired) {
-        // Reject expired JWTs should only happen if jwt argument was passed
+      // Only validate expiration if allowExpired is NOT true
+      if (options?.allowExpired !== true) {
         validateExp(payload.exp)
       }
 
diff --git a/packages/core/postgrest-js/src/PostgrestQueryBuilder.ts b/packages/core/postgrest-js/src/PostgrestQueryBuilder.ts
index a82310078..67fd90d75 100644
--- a/packages/core/postgrest-js/src/PostgrestQueryBuilder.ts
+++ b/packages/core/postgrest-js/src/PostgrestQueryBuilder.ts
@@ -332,6 +332,13 @@ export default class PostgrestQueryBuilder<
       }
     }
 
+    // Automatically use RETURNING for inserts so `.select()` works without SELECT policy
+    if (!this.headers.has('Prefer')) {
+      this.headers.append('Prefer', 'return=representation')
+    } else if (![...this.headers.values()].some((h) => h.includes('return='))) {
+      this.headers.append('Prefer', 'return=representation')
+    }
+
     return new PostgrestFilterBuilder({
       method,
       url: this.url,