oauth2.dev

exp

IESG

Registry Context

The optional `exp` member gives the token's expiration time as a timestamp in seconds since 1970-01-01 UTC.

Technical Summary

RFC 7662 defines `exp` as an optional integer timestamp indicating when the token will expire and incorporates RFC 7519's NumericDate definition.

When Used

When an authorization server includes token expiration information in a token introspection response.

Normative Requirements

Authorization servers

OPTIONAL
1
  1. RFC 7662 - Section 2.2

    Include the `exp` member in the introspection response..

    exp OPTIONAL. Integer timestamp, measured in the number of seconds since January 1 1970 UTC, indicating when this token will expire.

The `exp` value

MUST
1
  1. RFC 7519 - Section 4.1.4

    Be a number containing a NumericDate value..

    Condition: When `exp` is present.

    Its value MUST be a number containing a NumericDate value.

Validation Guidance

info

Allow `exp` to be omitted from the introspection response.

error

When present, verify that `exp` is an integer NumericDate value.

error

Interpret `exp` in seconds since 1970-01-01 UTC, not milliseconds.

Reference

Details

Entry Id
exp
Name
exp
Description
Expiration timestamp of the token
Change Controller
IESG
Reference
RFC7662 - Section 2.2