diff --git a/src/main.rs b/src/main.rs
index ed9a102..489ff55 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -31,6 +31,10 @@ struct ConfigArgs {
 	#[arg(short, long, default_value = "127.0.0.1:26656")]
 	bind_addr: String,
 
+	/// Access tokens lifetime, in seconds
+	#[arg(long, default_value_t = 3600)]
+	token_lifetime: u32,
+
 	/// Valid time for join requests, in seconds
 	#[arg(short, long, default_value_t = 10)]
 	time_window: u32,
diff --git a/src/routes/auth.rs b/src/routes/auth.rs
index 7922c39..27f4aea 100644
--- a/src/routes/auth.rs
+++ b/src/routes/auth.rs
@@ -13,7 +13,12 @@ pub async fn validate(State(state): State<AppState>, Json(payload): Json<proto::
 		entities::token::Column::AccessToken.eq(payload.accessToken)
 	).one(&state.db).await.map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
 
-	if let Some(_t) = token {
+	if let Some(t) = token {
+		if Utc::now() - t.created_at > Duration::seconds(state.cfg.token_lifetime as i64) {
+			warn!(target: "AUTH", "[VALIDATE] expired token!");
+			return Err(StatusCode::UNAUTHORIZED);
+		}
+
 		Ok(StatusCode::NO_CONTENT)
 	} else {
 		warn!(target: "AUTH", "[VALIDATE] invalid token!");
diff --git a/src/routes/session.rs b/src/routes/session.rs
index 3d5342f..02a3464 100644
--- a/src/routes/session.rs
+++ b/src/routes/session.rs
@@ -22,7 +22,10 @@ pub async fn join(State(state): State<AppState>, Json(payload): Json<proto::Join
 	).all(&state.db).await
 		.map_err(|_| (StatusCode::INTERNAL_SERVER_ERROR, proto::Error::simple("db error").json()))?;
 
-	if tokens.iter().any(|x| x.access_token == payload.accessToken) {
+	if tokens.iter().any(|x| {
+		x.access_token == payload.accessToken
+		&& Utc::now() - x.created_at < Duration::seconds(state.cfg.token_lifetime as i64)
+	}) {
 		state.store.lock().await.insert(payload.selectedProfile, JoinAttempt::new(payload.serverId.clone()));
 		info!(target: "SESSION", "[JOIN] user {} has joined server {}", payload.selectedProfile, payload.serverId);
 		Ok(Json(()))