[DOCS] Document default OAuth token `expires_in` behavior when omitted
Documentation Type
Missing documentation (feature not documented)
Documentation Location
https://docs.claude.com/en/docs/claude-code/overview
Section/Topic
Settings
Current Documentation
I believe this isn't documented. Not sure where this should go, though.
What's Wrong or Missing?
Claude Code assumes a 3600s expiry time when an OAuth token is issued with expires_in omitted.
RFC 6749 Section 5.1 states that expires_in is OPTIONAL, it doesn't clearly specify what clients should do when this field is omitted and no alternative expiry information is provided.
I was assuming the absence of expires_in would lead to an infinitely lasting token.
Suggested Improvement
Request for clarification:
- Is the 3600-second default intentional?
- Could this be documented?
This would help OAuth server implementers understand expected client behavior.
Impact
Medium - Makes feature difficult to understand
Additional Context
Token with an expiry:
{
"access_token": ".............................",
"token_type": "Bearer",
"expires_in": 4321,
"scope": "openid profile email"
}
Claude's debug.txt shows it was taken into account:
[DEBUG] MCP server "identity": Returning tokens
[DEBUG] MCP server "identity": Token length: 68
[DEBUG] MCP server "identity": Has refresh token: false
[DEBUG] MCP server "identity": Expires in: 4320s
Token without an expiry:
{
"access_token": ".............................",
"token_type": "Bearer",
"scope": "openid profile email"
}
debug.txt shows 3600s was assumed.
[DEBUG] MCP server "identity": Returning tokens
[DEBUG] MCP server "identity": Token length: 68
[DEBUG] MCP server "identity": Has refresh token: false
[DEBUG] MCP server "identity": Expires in: 3599sThis issue has 3 comments on GitHub. Read the full discussion on GitHub ↗