diff --git a/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/sebconfig/impl/ClientConfigServiceImpl.java b/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/sebconfig/impl/ClientConfigServiceImpl.java
index 4fcbae41..68be9476 100644
--- a/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/sebconfig/impl/ClientConfigServiceImpl.java
+++ b/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/sebconfig/impl/ClientConfigServiceImpl.java
@@ -169,6 +169,7 @@ public class ClientConfigServiceImpl implements ClientConfigService {
     private final WebserviceInfo webserviceInfo;
     private final CertificateDAO certificateDAO;
     private final long defaultPingInterval;
+    private final int examAPITokenValiditySeconds;
 
     protected ClientConfigServiceImpl(
             final SEBClientConfigDAO sebClientConfigDAO,
@@ -178,7 +179,8 @@ public class ClientConfigServiceImpl implements ClientConfigService {
             final WebserviceInfo webserviceInfo,
             final CertificateDAO certificateDAO,
             @Qualifier(WebSecurityConfig.CLIENT_PASSWORD_ENCODER_BEAN_NAME) final PasswordEncoder clientPasswordEncoder,
-            @Value("${sebserver.webservice.api.exam.defaultPingInterval:1000}") final long defaultPingInterval) {
+            @Value("${sebserver.webservice.api.exam.defaultPingInterval:1000}") final long defaultPingInterval,
+            @Value("${sebserver.webservice.api.exam.accessTokenValiditySeconds:-1}") final int examAPITokenValiditySeconds) {
 
         this.sebClientConfigDAO = sebClientConfigDAO;
         this.clientCredentialService = clientCredentialService;
@@ -188,6 +190,7 @@ public class ClientConfigServiceImpl implements ClientConfigService {
         this.webserviceInfo = webserviceInfo;
         this.certificateDAO = certificateDAO;
         this.defaultPingInterval = defaultPingInterval;
+        this.examAPITokenValiditySeconds = examAPITokenValiditySeconds;
     }
 
     @Override
@@ -210,8 +213,8 @@ public class ClientConfigServiceImpl implements ClientConfigService {
 
                     baseClientDetails.setScope(Collections.emptySet());
                     baseClientDetails.setClientSecret(Utils.toString(pwd));
-                    baseClientDetails.setAccessTokenValiditySeconds(-1); // not expiring
-                    baseClientDetails.setRefreshTokenValiditySeconds(-1); // not expiring
+                    baseClientDetails.setAccessTokenValiditySeconds(this.examAPITokenValiditySeconds);
+                    baseClientDetails.setRefreshTokenValiditySeconds(-1); // not used, not expiring
 
                     if (log.isDebugEnabled()) {
                         log.debug("Created new BaseClientDetails for id: {}", clientName);
diff --git a/src/main/resources/config/application-ws.properties b/src/main/resources/config/application-ws.properties
index 8342c614..7a38e8cb 100644
--- a/src/main/resources/config/application-ws.properties
+++ b/src/main/resources/config/application-ws.properties
@@ -72,6 +72,7 @@ sebserver.webservice.api.exam.endpoint.discovery=${sebserver.webservice.api.exam
 sebserver.webservice.api.exam.endpoint.v1=${sebserver.webservice.api.exam.endpoint}/v1
 sebserver.webservice.api.exam.event-handling-strategy=SINGLE_EVENT_STORE_STRATEGY
 sebserver.webservice.api.exam.enable-indicator-cache=true
+sebserver.webservice.api.exam.accessTokenValiditySeconds=-1
 sebserver.webservice.api.pagination.maxPageSize=500
 # comma separated list of known possible OpenEdX API access token request endpoints
 sebserver.webservice.lms.openedx.api.token.request.paths=/oauth2/access_token