tokens now expire

Kevin Harper · Kevin Harper · commit 43327caba8e7 · 2017-06-02T09:57:51.000-05:00
diff --git a/guides/v2.0/get-started/authentication/gs-authentication-token.md b/guides/v2.0/get-started/authentication/gs-authentication-token.md
@@ -25,7 +25,9 @@ Request|REST|SOAP
 Get an admin token | `POST /V1/integration/admin/token` | `integrationAdminTokenServiceV1`
 Get a customer token | `POST /V1/integration/customer/token` | `integrationCustomerTokenServiceV1`
 
-For most {% glossarytooltip 377dc0a3-b8a7-4dfa-808e-2de37e4c0029 %}web API{% endglossarytooltip %} calls, you supply this token in the `Authorization` request header with the `Bearer` HTTP {% glossarytooltip 34ecb0ab-b8a3-42d9-a728-0b893e8c0417 %}authorization{% endglossarytooltip %} scheme to prove your identity. The token never expires, but it can be revoked.
+For most {% glossarytooltip 377dc0a3-b8a7-4dfa-808e-2de37e4c0029 %}web API{% endglossarytooltip %} calls, you supply this token in the `Authorization` request header with the `Bearer` HTTP {% glossarytooltip 34ecb0ab-b8a3-42d9-a728-0b893e8c0417 %}authorization{% endglossarytooltip %} scheme to prove your identity. By default, an admin token is valid for 4 hours, while a customer token is valid for 1 hour. You can change these values from Admin by selecting **Configuration > Services > OAuth > Access Token Expiration**.
+
+A cron job that runs hourly removes all expired tokens. 
 
 ## Request a token {#request-token}
 
@@ -70,9 +72,9 @@ The following image shows a token request for the {% glossarytooltip 29ddb393-ca
 
 The following example uses the `curl` command to request a token for a customer account:
 
-`curl -X POST "https://magento.host/index.php/rest/V1/integration/customer/token" \
+<code>curl -X POST "https://magento.host/index.php/rest/V1/integration/customer/token" \
      -H "Content-Type:application/json" \
-     -d '{"username":"customer1@example.com", "password":"customer1pw"}'`
+     -d '{"username":"customer1@example.com", "password":"customer1pw"}'</code>
 
 The following example makes the same request with {% glossarytooltip 8c0645c5-aa6b-4a52-8266-5659a8b9d079 %}XML{% endglossarytooltip %} for a customer account token:
 
diff --git a/guides/v2.1/get-started/order-tutorial/order-admin-token.md b/guides/v2.1/get-started/order-tutorial/order-admin-token.md
@@ -46,6 +46,8 @@ This section lists the information that Magento sends to the REST client. These
 
 Most REST calls to Magento require an {% glossarytooltip 34ecb0ab-b8a3-42d9-a728-0b893e8c0417 %}authorization{% endglossarytooltip %} token. The token allows Magento to verify that the caller is authorized to access a system resource. To get a token, you must specify the user's username and password in the payload.
 
+By default, an admin token is valid for 4 hours. To change this value, log in to Admin and go to **Configuration > Services > OAuth > Access Token Expiration**.
+
 See [Token-based authentication]({{page.baseurl}}get-started/authentication/gs-authentication-token.md) for more information about authorization tokens.
 
 **Endpoint**
diff --git a/guides/v2.1/get-started/order-tutorial/order-create-customer.md b/guides/v2.1/get-started/order-tutorial/order-create-customer.md
@@ -119,7 +119,10 @@ You can log in to the Luma store using the user name `jdoe@example.com` and pass
 
 ### Get the customer's access token {#get-token}
 
-To get a customer's access token, you must specify the customer's username and password in the payload. You do not need to specify an {% glossarytooltip 34ecb0ab-b8a3-42d9-a728-0b893e8c0417 %}authorization{% endglossarytooltip %} token.
+To get a customer's access token, you must specify the customer's username and password in the payload. You do not need to specify an admin {% glossarytooltip 34ecb0ab-b8a3-42d9-a728-0b893e8c0417 %}authorization{% endglossarytooltip %} token.
+
+By default, a customer token is valid for 1 hour. To change this value, log in to Admin and go to **Configuration > Services > OAuth > Access Token Expiration**.
+
 
 **Endpoint**
 
