diff --git a/package-lock.json b/package-lock.json
index f30e4faa7d..4848772d0d 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -32,7 +32,7 @@
         "@ngrx/store": "^18.1.1",
         "@ngx-translate/core": "^16.0.3",
         "@nicky-lenaers/ngx-scroll-to": "^14.0.0",
-        "altcha": "^0.2.2",
+        "altcha": "^0.9.0",
         "angulartics2": "^12.2.0",
         "axios": "^1.7.9",
         "bootstrap": "^5.3",
@@ -165,6 +165,12 @@
       "version": "0.0.0",
       "dev": true
     },
+    "node_modules/@altcha/crypto": {
+      "version": "0.0.1",
+      "resolved": "https://registry.npmjs.org/@altcha/crypto/-/crypto-0.0.1.tgz",
+      "integrity": "sha512-qZMdnoD3lAyvfSUMNtC2adRi666Pxdcw9zqfMU5qBOaJWqpN9K+eqQGWqeiKDMqL0SF+EytNG4kR/Pr/99GJ6g==",
+      "license": "MIT"
+    },
     "node_modules/@ampproject/remapping": {
       "version": "2.3.0",
       "resolved": "https://registry.npmjs.org/@ampproject/remapping/-/remapping-2.3.0.tgz",
@@ -8897,9 +8903,29 @@
       }
     },
     "node_modules/altcha": {
-      "version": "0.2.3",
-      "resolved": "https://registry.npmjs.org/altcha/-/altcha-0.2.3.tgz",
-      "integrity": "sha512-7ZYS70TdzpXrV5qcRNnkut5DOjHLrU+DzTlftts9qYAjGaA/7RouHPmc2cKJrAl87jsvvIrL2u9RVsrH1ty1tQ=="
+      "version": "0.9.0",
+      "resolved": "https://registry.npmjs.org/altcha/-/altcha-0.9.0.tgz",
+      "integrity": "sha512-W83eEYpBw5lg37O9c/rtBpp0AaW3+6uiMHifSW8VKFRs2afps16UMO6B93Kaqbr/xA9KNSPEW3q0PwwA01+Ugg==",
+      "license": "MIT",
+      "dependencies": {
+        "@altcha/crypto": "^0.0.1"
+      },
+      "optionalDependencies": {
+        "@rollup/rollup-linux-x64-gnu": "4.18.0"
+      }
+    },
+    "node_modules/altcha/node_modules/@rollup/rollup-linux-x64-gnu": {
+      "version": "4.18.0",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-gnu/-/rollup-linux-x64-gnu-4.18.0.tgz",
+      "integrity": "sha512-xuglR2rBVHA5UsI8h8UbX4VJ470PtGCf5Vpswh7p2ukaqBGFTnsfzxUBetoWBWymHMxbIG0Cmx7Y9qDZzr648w==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ]
     },
     "node_modules/angulartics2": {
       "version": "12.2.1",
diff --git a/package.json b/package.json
index e005779c67..3a7f765f9d 100644
--- a/package.json
+++ b/package.json
@@ -114,7 +114,7 @@
     "@ngrx/store": "^18.1.1",
     "@ngx-translate/core": "^16.0.3",
     "@nicky-lenaers/ngx-scroll-to": "^14.0.0",
-    "altcha": "^0.2.2",
+    "altcha": "^0.9.0",
     "angulartics2": "^12.2.0",
     "axios": "^1.7.9",
     "bootstrap": "^5.3",
diff --git a/src/app/bitstream-page/bitstream-download-page/bitstream-download-page.component.ts b/src/app/bitstream-page/bitstream-download-page/bitstream-download-page.component.ts
index 23117c1bac..41a53e75df 100644
--- a/src/app/bitstream-page/bitstream-download-page/bitstream-download-page.component.ts
+++ b/src/app/bitstream-page/bitstream-download-page/bitstream-download-page.component.ts
@@ -129,7 +129,6 @@ export class BitstreamDownloadPageComponent implements OnInit {
         // For now, the access token does not care if we are logged in or not.
         if (hasValue(accessToken)) {
           this.hardRedirectService.redirect(bitstream._links.content.href + '?accessToken=' + accessToken);
-          // this.router.navigateByUrl(getForbiddenRoute(), {skipLocationChange: true});
         } else if (isLoggedIn) {
           this.router.navigateByUrl(getForbiddenRoute(), { skipLocationChange: true });
         } else if (!isLoggedIn) {
diff --git a/src/app/core/data/item-request-data.service.ts b/src/app/core/data/item-request-data.service.ts
index 7c0bb9f21e..26fd4923b4 100644
--- a/src/app/core/data/item-request-data.service.ts
+++ b/src/app/core/data/item-request-data.service.ts
@@ -49,7 +49,6 @@ import { RequestService } from './request.service';
 })
 export class ItemRequestDataService extends IdentifiableDataService<ItemRequest> implements SearchData<ItemRequest> {
 
-  // TODO: This is only public for access by the test class - smell?
   private searchData: SearchDataImpl<ItemRequest>;
 
   constructor(
diff --git a/src/app/core/data/proof-of-work-captcha-data.service.ts b/src/app/core/data/proof-of-work-captcha-data.service.ts
index 1e1f886d36..4f445c4dde 100644
--- a/src/app/core/data/proof-of-work-captcha-data.service.ts
+++ b/src/app/core/data/proof-of-work-captcha-data.service.ts
@@ -4,6 +4,10 @@ import { map } from 'rxjs/operators';
 
 import { HALEndpointService } from '../shared/hal-endpoint.service';
 
+/**
+ * Service for retrieving captcha challenge data, so proof-of-work calculations can be performed
+ * and returned with protected form data.
+ */
 @Injectable({ providedIn: 'root' })
 export class ProofOfWorkCaptchaDataService {
 
@@ -13,12 +17,20 @@ export class ProofOfWorkCaptchaDataService {
               private halService: HALEndpointService) {
   }
 
+  /**
+   * Get the endpoint for retrieving a new captcha challenge, to be passed
+   * to the Altcha captcha component as an input property
+   */
   public getChallengeHref(): Observable<string> {
     return this.getEndpoint().pipe(
       map((endpoint) => endpoint + '/challenge'),
     );
   }
 
+  /**
+   * Get the base CAPTCHA endpoint URL
+   * @protected
+   */
   protected getEndpoint(): Observable<string> {
     return this.halService.getEndpoint(this.linkPath);
   }
diff --git a/src/app/item-page/simple/item-page.component.html b/src/app/item-page/simple/item-page.component.html
index 1892095cb5..2e82824451 100644
--- a/src/app/item-page/simple/item-page.component.html
+++ b/src/app/item-page/simple/item-page.component.html
@@ -6,9 +6,10 @@
           <ng-container *ngVar="(itemRequest$ | async) as itemRequest">
             @if (hasValue(itemRequest)) {
               <div class="alert alert-warning wb-100 mb-2">
-                <p><span role="img" class="request-a-copy-access-icon"><i class="fa-solid fa-lock-open"></i></span>{{'bitstream-request-a-copy.access-by-token.warning' | translate}}</p>
-                @if (hasValue(itemRequest.accessPeriod) && itemRequest.accessPeriod > 0 && hasValue(itemRequest.decisionDate)) {
-                  <p>{{ 'bitstream-request-a-copy.access-by-token.expiry-label' | translate }} {{ getAccessPeriodEndDate(itemRequest.accessPeriod, itemRequest.decisionDate) }}</p>
+                <p><span role="img" class="request-a-copy-access-icon" [attr.aria-label]="'bitstream-request-a-copy.access-by-token.alt-text' | translate"><i class="fa-solid fa-lock-open"></i></span>{{'bitstream-request-a-copy.access-by-token.warning' | translate}}</p>
+                <!-- Only show the expiry date if it's not null, and doesn't start with the "FOREVER" year -->
+                @if (hasValue(itemRequest.accessExpiry) && !itemRequest.accessExpiry.startsWith('+294276')) {
+                  <p>{{ 'bitstream-request-a-copy.access-by-token.expiry-label' | translate }} {{ itemRequest.accessExpiry }}</p>
                 }
               </div>
             }
diff --git a/src/assets/i18n/en.json5 b/src/assets/i18n/en.json5
index 5540d16e65..da0e4b9e45 100644
--- a/src/assets/i18n/en.json5
+++ b/src/assets/i18n/en.json5
@@ -1002,6 +1002,8 @@
 
   "bitstream-request-a-copy.access-by-token.expiry-label": "Access provided by this link will expire on",
 
+  "bitstream-request-a-copy.access-by-token.alt-text": "Access to this item is provided by a secure token",
+
   "browse.back.all-results": "All browse results",
 
   "browse.comcol.by.author": "By Author",
@@ -1898,6 +1900,8 @@
 
   "file-download-link.restricted": "Restricted bitstream",
 
+  "file-download-link.secure-access": "Restricted bitstream available via secure access token",
+
   "file-section.error.header": "Error obtaining files for this item",
 
   "footer.copyright": "copyright © 2002-{{ year }}",