diff --git a/src/agent/config.rs b/src/agent/config.rs
index 7d7f704..dfe14c2 100644
--- a/src/agent/config.rs
+++ b/src/agent/config.rs
@@ -9,6 +9,7 @@ pub struct AgentConfiguration<C: Client> {
     pub scopes: Vec<String>,
     pub grace_period: Duration,
     pub audience: Option<String>,
+    pub max_expiration: Option<Duration>,
 
     pub default_login_options: Option<LoginOptions>,
     pub default_logout_options: Option<LogoutOptions>,
diff --git a/src/agent/mod.rs b/src/agent/mod.rs
index 43476cd..f72ae3f 100644
--- a/src/agent/mod.rs
+++ b/src/agent/mod.rs
@@ -22,7 +22,7 @@ use log::error;
 use num_traits::cast::ToPrimitive;
 use reqwest::Url;
 use state::*;
-use std::{collections::HashMap, fmt::Debug, time::Duration};
+use std::{cmp::min, collections::HashMap, fmt::Debug, time::Duration};
 use tokio::sync::mpsc::{channel, Receiver, Sender};
 use wasm_bindgen::JsValue;
 use wasm_bindgen_futures::spawn_local;
@@ -221,6 +221,7 @@ where
 pub struct InnerConfig {
     scopes: Vec<String>,
     grace_period: Duration,
+    max_expiration: Option<Duration>,
     audience: Option<String>,
     default_login_options: Option<LoginOptions>,
     default_logout_options: Option<LogoutOptions>,
@@ -290,8 +291,17 @@ where
                 .as_ref()
                 .map(|c| c.grace_period)
                 .unwrap_or_default();
+
+            let mut expires = *expires;
+            if let Some(max) = self.config.as_ref().and_then(|cfg| cfg.max_expiration) {
+                // cap time the token expires by "max"
+                expires = min(expires, max.as_secs());
+            }
+
+            // get now as seconds
             let now = Date::now() / 1000f64;
-            let diff = *expires as f64 - now - grace.as_secs_f64();
+            // get delta from now to expiration minus the grace period
+            let diff = expires as f64 - now - grace.as_secs_f64();
 
             let tx = self.tx.clone();
             if diff > 0f64 {
@@ -368,6 +378,7 @@ where
             audience,
             default_login_options,
             default_logout_options,
+            max_expiration,
         } = config;
 
         let client = C::from_config(config).await?;
@@ -378,6 +389,7 @@ where
             audience,
             default_login_options,
             default_logout_options,
+            max_expiration,
         };
 
         Ok((client, inner))
diff --git a/src/components/context/mod.rs b/src/components/context/mod.rs
index eed0850..08067cd 100644
--- a/src/components/context/mod.rs
+++ b/src/components/context/mod.rs
@@ -28,6 +28,14 @@ pub struct OAuth2Properties<C: Client> {
     #[prop_or(Duration::from_secs(30))]
     pub grace_period: Duration,
 
+    /// A maximum expiration time.
+    ///
+    /// This can be used to limit the token timeout. If present, the token will be considered
+    /// expired at the provided expiration or the configured maximum expiration, whatever is
+    /// first.
+    #[prop_or_default]
+    pub max_expiration: Option<Duration>,
+
     // The audience to be associated to the access tokens inside this context
     #[prop_or_default]
     pub audience: Option<String>,
@@ -50,6 +58,8 @@ impl<C: Client> PartialEq for OAuth2Properties<C> {
         self.config == other.config
             && self.scopes == other.scopes
             && self.grace_period == other.grace_period
+            && self.max_expiration == other.max_expiration
+            && self.audience == other.audience
             && self.children == other.children
     }
 }
@@ -136,6 +146,7 @@ impl<C: Client> OAuth2<C> {
             config: props.config.clone(),
             scopes: props.scopes.clone(),
             grace_period: props.grace_period,
+            max_expiration: props.max_expiration,
             audience: props.audience.clone(),
             default_login_options: props.login_options.clone(),
             default_logout_options: props.logout_options.clone(),