diff --git a/htgettoken.spec b/htgettoken.spec
index 5499237..f43a74a 100644
--- a/htgettoken.spec
+++ b/htgettoken.spec
@@ -80,6 +80,12 @@ rm -rf $RPM_BUILD_ROOT
 #   and --nokerberos.
 # - Again fix --showbearerurl to work in combination with --nobearertoken.
 #   That was fixed in 1.17 but broke in 1.21 and 2.0.
+# - Fix httokensh to pay attention to htgettoken options in $HTGETTOKENOPTS.
+# - Fix httokensh to correctly locate the log file if a -o or --outfile
+#   is given, instead of writing to ".log" in the current directory.
+# - Fix httokensh to not pass on a --vaulttokenminttl option to the background
+#   htgettoken command, to make the vault token last as long as possible since
+#   it doesn't get renewed.
 
 * Fri Jun 20 2025 Dave Dykstra <dwd@fnal.gov> 2.4-1
 - Add the new -s and -f options to the htdecodetoken usage summary.
diff --git a/httokensh b/httokensh
index 17320a7..1209b9a 100755
--- a/httokensh
+++ b/httokensh
@@ -30,15 +30,31 @@ GOTSEP=false
 MINSECS=60
 GOTVERBOSE=false
 GOTOUTFILE=false
+OUTFILE=""
 GOTVTFILE=false
 GOTVTTTL=false
+# look at HTGETTOKENOPTS in addition to those options on the command line
+# but don't explicitly pass them again to htgettoken
+HTGETSEP="--HTSEP--"
+set -- $HTGETTOKENOPTS $HTGETSEP "$@"
+DONEHTGETTOKENOPTS=false
 for ARG; do
     if $GOTSEP; then
         COMMANDARGS+=("$ARG")
+    elif $GOTOUTFILE; then
+        OUTFILE="$ARG"
+        GOTOUTFILE=false
+        if $DONEHTGETTOKENOPTS; then
+            HTGETTOKENARGS+=("$ARG")
+        fi
+    elif [ "$ARG" = "$HTGETSEP" ]; then
+        DONEHTGETTOKENOPTS=true
     elif [ "$ARG" = "--" ]; then
         GOTSEP=true
     else
-        HTGETTOKENARGS+=("$ARG")
+        if $DONEHTGETTOKENOPTS; then
+            HTGETTOKENARGS+=("$ARG")
+        fi
         case "$ARG" in
             --minsecs=*)
                 MINSECS="${ARG/--minsecs=/}"
@@ -46,9 +62,12 @@ for ARG; do
             -v|--verbose)
                 GOTVERBOSE=true
                 ;;
-            -o|--outfile=*)
+            -o)
                 GOTOUTFILE=true
                 ;;
+            --outfile=*)
+                OUTFILE="${ARG/--outfile=/}"
+                ;;
             --vaulttokenfile=*)
                 GOTVTFILE=true
                 ;;
@@ -73,12 +92,16 @@ if [ ${#COMMANDARGS[@]} = 0 ]; then
     COMMANDARGS=("$SHELL")
 fi
 
-if [ -z "$BEARER_TOKEN_FILE" ] && ! $GOTOUTFILE; then
-    BTFILE="bt_u$(id -u).sh-$$"
-    if [ -n "$XDG_RUNTIME_DIR" ]; then
-        BEARER_TOKEN_FILE=$XDG_RUNTIME_DIR/$BTFILE
+if [ -z "$BEARER_TOKEN_FILE" ]; then
+    if [ -n "$OUTFILE" ]; then
+        BEARER_TOKEN_FILE="$OUTFILE"
     else
-        BEARER_TOKEN_FILE=/tmp/$BTFILE
+        BTFILE="bt_u$(id -u).sh-$$"
+        if [ -n "$XDG_RUNTIME_DIR" ]; then
+            BEARER_TOKEN_FILE=$XDG_RUNTIME_DIR/$BTFILE
+        else
+            BEARER_TOKEN_FILE=/tmp/$BTFILE
+        fi
     fi
     export BEARER_TOKEN_FILE
 fi
@@ -123,6 +146,19 @@ gettoken()
 # beyond the minsecs, so reduce the minimum to just 1 second
 gettoken "not running command" 1
 
+# Remove any --vaulttokenminttl option so the background renewal
+#  gets to be as long as possible
+if [[ "$HTGETTOKENOPTS" = *--vaulttokenminttl* ]]; then
+    HTGETTOKENOPTS="$(echo "$HTGETTOKENOPTS"|sed 's/--vaulttokenminttl=[^ ]*//')"
+fi
+NEWARGS=()
+for ARG in "${HTGETTOKENARGS[@]}"; do
+    if [[ "$ARG" != --vaulttokenminttl* ]]; then
+        NEWARGS+=("$ARG")
+    fi
+done
+HTGETTOKENARGS=("${NEWARGS[@]}")
+
 # make sure the logged info is verbose for easier diagnosis
 if ! $GOTVERBOSE; then
     HTGETTOKENARGS+=("-v")
diff --git a/httokensh.1 b/httokensh.1
index 72cc88e..1987633 100644
--- a/httokensh.1
+++ b/httokensh.1
@@ -41,6 +41,10 @@ htgettoken options provided then
 .I \-\-vaulttokenminttl=6d
 will be automatically added to ensure there are at least 6 days remaining
 on the vault token.
+The vault token will not be renewed when it expires, so
+.B httokensh
+is limited to being run for 6 days; it is intended only for interactive
+use.
 
 The access token will be renewed just under 
 .I \-\-minsecs
diff --git a/httokensh.html b/httokensh.html
index d93e42b..a883eb1 100644
--- a/httokensh.html
+++ b/httokensh.html
@@ -1,5 +1,5 @@
-<!-- Creator     : groff version 1.22.2 -->
-<!-- CreationDate: Thu Aug 17 11:56:12 2023 -->
+<!-- Creator     : groff version 1.22.3 -->
+<!-- CreationDate: Thu Nov 13 10:56:37 2025 -->
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
 "http://www.w3.org/TR/html4/loose.dtd">
 <html>
@@ -82,7 +82,10 @@ <h2>DESCRIPTION
 <i>&minus;&minus;vaulttokenminttl</i> htgettoken options
 provided then <i>&minus;&minus;vaulttokenminttl=6d</i> will
 be automatically added to ensure there are at least 6 days
-remaining on the vault token.</p>
+remaining on the vault token. The vault token will not be
+renewed when it expires, so <b>httokensh</b> is limited to
+being run for 6 days; it is intended only for interactive
+use.</p>
 
 <p style="margin-left:11%; margin-top: 1em">The access
 token will be renewed just under