Expires_in is a OAuth Parameters Registry and is RECOMMENDED to be used to indicate the lifetime in seconds of the Access Token.

For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated.

The "expires_in" member in JSON must be a numeric value, not a string. Unfortunately quite a few implementations have got this wrong. A likely reason is the quoted value "3600" in the RFC 6749 where "expires_in" is defined. The quotes in the text version of the RFC are only an artefact of the marked-up as a protocol value in the RFC production chain.

If omitted, the Authorization Server SHOULD provide the expiration time via other means or document the default value.

More Information#

There might be more information for this subject on one of the following: