<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Managing Refresh Tokens with the exp Claim in OAuth 2.0
Apr 6, 2026
API Access Management
Okta Classic Engine
Okta Identity Engine
Overview

The Refresh Token lifetime in the Access Policy is governed by two key parameters:

  • Idle Lifetime, which resets each time the token is used. 
  • Max Lifetime, which defines the maximum expiration time. 

When introspecting the token, the exp claim reflects the Idle Lifetime, but it cannot extend beyond the Max Lifetime, ensuring the token expires within the configured limits.

Applies To
  • OIDC/OAuth Tokens
  • Refresh Tokens
  • API Access Management 
  • Okta Classic Engine
  • Okta Identity Engine (OIE)
Solution

While configuring Refresh Tokens in the Access Policy, there are two places where the lifetime of Refresh Token is configured:

  • The Total Lifetime of Refresh Token marked by 1 in the screenshot.
  • The Idle Lifetime of Refresh Token marked by 2 in the screenshot.

Refresh Token is configuration 

When using the Introspect Endpoint to introspect the Refresh token, the exp claim will point towards the Idle Lifetime of the Refresh Token. The expiration (exp) of a Refresh Token is updated each time the Refresh Token is used to renew access tokens. However, the exp time cannot exceed the Max Lifetime of the Refresh Token, which is set at the time of its issuance.

 

Example Scenario

  • Initial Token Issuance: Tokens will be distributed at 4:00 PM.
  • Idle Lifetime of the Refresh Token: 10 minutes.
  • Max Lifetime of the Refresh Token: 30 minutes.

The following table outlines how the expiration of the Refresh Token is updated at different stages:

TimeActionRefresh Token Expiry (exp)Explanation
4:00 PMInitial issuance of Refresh Token4:10 PMRefresh Token is issued with an Idle Lifetime of 10 minutes.
4:10 PMUse Refresh Token to renew access token4:20 PMThe exp is updated to reflect the new time (10 minutes from the time of renewal).
4:20 PMUse Refresh Token to renew access token4:30 PMThe exp is updated again, now reflecting 10 minutes from the latest use.
4:23 PMUse Refresh Token again4:30 PMEven though it's within the Idle Lifetime, the exp cannot exceed the Max Lifetime (30 minutes from the initial issue time), so it stays at 4:30 PM.
4:25 PMUse Refresh Token again4:30 PMNo change to exp as the Max Lifetime has been reached (30 minutes from 4:00 PM).

Key Points

  • Idle Lifetime: The exp time can be refreshed within the Idle Lifetime, but will not exceed the Max Lifetime.
  • Max Lifetime: The Refresh Token has a fixed Max Lifetime (for example, 30 minutes from issuance), and once this is reached, the exp cannot extend further.


NOTE: When using Org Authorization Server to mint Refresh Tokens, the Introspect Endpoint will return the fixed Max Lifetime of 90 Days (there is no idle lifetime).

Recommended content

Still looking for help?
Loading
Managing Refresh Tokens with the exp Claim in OAuth 2.0