diff --git a/cmd/crproxy/cluster/auth/auth.go b/cmd/crproxy/cluster/auth/auth.go
index 1f64aa9..484b6a4 100644
--- a/cmd/crproxy/cluster/auth/auth.go
+++ b/cmd/crproxy/cluster/auth/auth.go
@@ -33,6 +33,7 @@ type flagpole struct {
 
 	TokenPrivateKeyFile string
 	TokenPublicKeyFile  string
+	TokenExpiresSecond  int
 
 	SimpleAuthUserpass map[string]string
 
@@ -49,7 +50,8 @@ type flagpole struct {
 
 func NewCommand() *cobra.Command {
 	flags := &flagpole{
-		Address: ":18000",
+		Address:            ":18000",
+		TokenExpiresSecond: 3600,
 	}
 
 	cmd := &cobra.Command{
@@ -69,6 +71,7 @@ func NewCommand() *cobra.Command {
 
 	cmd.Flags().StringVar(&flags.TokenPrivateKeyFile, "token-private-key-file", "", "private key file")
 	cmd.Flags().StringVar(&flags.TokenPublicKeyFile, "token-public-key-file", "", "public key file")
+	cmd.Flags().IntVar(&flags.TokenExpiresSecond, "token-expires-second", flags.TokenExpiresSecond, "Token expires second")
 
 	cmd.Flags().StringToStringVar(&flags.SimpleAuthUserpass, "simple-auth-userpass", flags.SimpleAuthUserpass, "Simple auth userpass")
 
@@ -196,7 +199,7 @@ func runE(ctx context.Context, flags *flagpole) error {
 		return t.Attribute, true
 	}
 
-	gen := token.NewGenerator(token.NewEncoder(signing.NewSigner(privateKey)), authFunc, logger)
+	gen := token.NewGenerator(token.NewEncoder(signing.NewSigner(privateKey)), authFunc, flags.TokenExpiresSecond, logger)
 	container.Handle("/auth/token", gen)
 
 	var handler http.Handler = container
diff --git a/token/generator.go b/token/generator.go
index 85fc50a..896f1ed 100644
--- a/token/generator.go
+++ b/token/generator.go
@@ -15,20 +15,23 @@ import (
 )
 
 type Generator struct {
-	authFunc     func(r *http.Request, userinfo *url.Userinfo, t *Token) (Attribute, bool)
-	logger       *slog.Logger
-	tokenEncoder *Encoder
+	authFunc      func(r *http.Request, userinfo *url.Userinfo, t *Token) (Attribute, bool)
+	logger        *slog.Logger
+	expiresSecond int
+	tokenEncoder  *Encoder
 }
 
 func NewGenerator(
 	tokenEncoder *Encoder,
 	authFunc func(r *http.Request, userinfo *url.Userinfo, t *Token) (Attribute, bool),
+	expiresSecond int,
 	logger *slog.Logger,
 ) *Generator {
 	return &Generator{
-		authFunc:     authFunc,
-		logger:       logger,
-		tokenEncoder: tokenEncoder,
+		authFunc:      authFunc,
+		expiresSecond: expiresSecond,
+		logger:        logger,
+		tokenEncoder:  tokenEncoder,
 	}
 }
 
@@ -46,8 +49,8 @@ func (g *Generator) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
 
 	rw.Header().Set("Content-Type", "application/json")
 
-	now := time.Now()
-	expiresIn := 60
+	now := time.Now().UTC()
+	expiresIn := g.expiresSecond
 
 	t.ExpiresAt = now.Add((time.Duration(expiresIn) + 10) * time.Second)