Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Training Camp • Cybersecurity Glossary
The fixed lifetime after which an authentication or access token becomes invalid, forcing reauthentication - limiting the damage window from a stolen token or replay attack.
Token Expiration Definition: The fixed lifetime after which an authentication or access token becomes invalid, forcing reauthentication - limiting the damage window from a stolen token or replay attack.
Token expiration is the predetermined lifetime after which an authentication or access token becomes invalid, requiring the user or client to reauthenticate or refresh to obtain a new one. It bounds how long a credential is usable, limiting the window in which a stolen, leaked, or replayed token can be abused.
Mechanically, expiration is enforced by a time claim embedded in or associated with the token. A JSON Web Token (JWT), for instance, carries an "exp" claim (a Unix timestamp) that the resource server checks on every request, rejecting the token once the current time passes it. OAuth 2.0 commonly issues short-lived access tokens alongside longer-lived refresh tokens: the access token expires in minutes, and the client silently exchanges the refresh token for a new one, so a leaked access token is useful only briefly. Session tokens behave similarly with idle and absolute timeouts.
This matters because tokens are bearer credentials - whoever holds one is treated as authenticated. Without expiration, a token captured through interception, an XSS payload, a logged URL, or a breached database would grant access indefinitely. Short lifetimes shrink the replay window, force periodic revalidation against current authorization state, and complement revocation. Standards like OAuth 2.0 and OpenID Connect rely on bounded token lifetimes as a core defense, balanced against usability so users are not reauthenticated constantly.
For example, an API issues JWT access tokens with a 15-minute "exp" and 8-hour refresh tokens. An attacker who steals an access token from a browser via XSS can call the API only until that 15-minute mark, after which every request is rejected as expired. The legitimate client, meanwhile, uses its refresh token to obtain fresh access tokens transparently - and if the breach is detected, revoking the refresh token cuts off renewal entirely.
Turn knowledge into credentials with our instructor-led cybersecurity boot camps.
View All Courses →