Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.

Global Accelerated Learning • Est. 1999
Glossary Term Token Expiration

Training Camp • Cybersecurity Glossary

What is Token Expiration?

The fixed lifetime after which an authentication or access token becomes invalid, forcing reauthentication - limiting the damage window from a stolen token or replay attack.

Glossary > Identity & Access Management > Token Expiration

Token Expiration — The fixed lifetime after which an authentication or access token becomes invalid

Understanding Token Expiration

Token expiration is the predetermined lifetime after which an authentication or access token becomes invalid, requiring the user or client to reauthenticate or refresh to obtain a new one. It bounds how long a credential is usable, limiting the window in which a stolen, leaked, or replayed token can be abused.

Mechanically, expiration is enforced by a time claim embedded in or associated with the token. A JSON Web Token (JWT), for instance, carries an "exp" claim (a Unix timestamp) that the resource server checks on every request, rejecting the token once the current time passes it. OAuth 2.0 commonly issues short-lived access tokens alongside longer-lived refresh tokens: the access token expires in minutes, and the client silently exchanges the refresh token for a new one, so a leaked access token is useful only briefly. Session tokens behave similarly with idle and absolute timeouts.

This matters because tokens are bearer credentials - whoever holds one is treated as authenticated. Without expiration, a token captured through interception, an XSS payload, a logged URL, or a breached database would grant access indefinitely. Short lifetimes shrink the replay window, force periodic revalidation against current authorization state, and complement revocation. Standards like OAuth 2.0 and OpenID Connect rely on bounded token lifetimes as a core defense, balanced against usability so users are not reauthenticated constantly.

For example, an API issues JWT access tokens with a 15-minute "exp" and 8-hour refresh tokens. An attacker who steals an access token from a browser via XSS can call the API only until that 15-minute mark, after which every request is rejected as expired. The legitimate client, meanwhile, uses its refresh token to obtain fresh access tokens transparently - and if the breach is detected, revoking the refresh token cuts off renewal entirely.

Learn More About Token Expiration:

Ready to Get Certified?

Turn knowledge into credentials with our instructor-led cybersecurity boot camps.

View All Courses →