API refresh tokens must be configured to expire.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-274681	SRG-APP-000400	SRG-APP-000400-API-000865	SV-274681r1143714_rule	2025-09-24	1

Description
By setting an expiration date on refresh tokens, the potential for abuse of a leaked token is reduced. Additionally, limiting their lifespan ensures tokens are regularly rotated, forcing users to reauthenticate periodically, which strengthens overall security and ensures access rights are up to date. This practice helps mitigate risks such as unauthorized access and session hijacking.

ℹ️ Check
Verify API refresh tokens are configured to expire according to organizational defined parameters. If API refresh tokens are not configured to expire according to organizational defined parameters, this is a finding.

✔️ Fix
Build or configure API refresh tokens to expire according to organizational defined parameters.