diff --git a/scm-webapp/src/main/java/sonia/scm/api/rest/resources/AuthenticationResource.java b/scm-webapp/src/main/java/sonia/scm/api/rest/resources/AuthenticationResource.java
index b722586a40..af0754b4da 100644
--- a/scm-webapp/src/main/java/sonia/scm/api/rest/resources/AuthenticationResource.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/rest/resources/AuthenticationResource.java
@@ -63,6 +63,8 @@ import sonia.scm.util.HttpUtil;
 
 //~--- JDK imports ------------------------------------------------------------
 
+import java.util.concurrent.TimeUnit;
+
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -180,6 +182,9 @@ public class AuthenticationResource
         Cookie c = new Cookie("X-Bearer-Token", token);
 
         c.setPath(request.getContextPath());
+
+        // TODO: should be configureable
+        c.setMaxAge((int) TimeUnit.SECONDS.convert(10, TimeUnit.HOURS));
         c.setHttpOnly(true);
         response.addCookie(c);
         state = stateFactory.createState(subject);
diff --git a/scm-webapp/src/main/java/sonia/scm/security/BearerTokenGenerator.java b/scm-webapp/src/main/java/sonia/scm/security/BearerTokenGenerator.java
index 71b694f7ed..f53e0da445 100644
--- a/scm-webapp/src/main/java/sonia/scm/security/BearerTokenGenerator.java
+++ b/scm-webapp/src/main/java/sonia/scm/security/BearerTokenGenerator.java
@@ -39,6 +39,8 @@ import io.jsonwebtoken.SignatureAlgorithm;
 import sonia.scm.user.User;
 
 import static com.google.common.base.Preconditions.*;
+import java.util.Date;
+import java.util.concurrent.TimeUnit;
 
 //~--- JDK imports ------------------------------------------------------------
 
@@ -83,14 +85,18 @@ public final class BearerTokenGenerator
     checkNotNull(user, "user is required");
 
     SecureKey key = keyResolver.getSecureKey(user.getName());
-
-    // TODO add expiration date
+    
+    Date now = new Date();
+    // TODO: should be configurable
+    long expiration = TimeUnit.MILLISECONDS.convert(10, TimeUnit.HOURS);
     
     //J-
     return Jwts.builder()
       .setSubject(user.getName())
       .setId(keyGenerator.createKey())
       .signWith(SignatureAlgorithm.HS256, key.getBytes())
+      .setIssuedAt(now)
+      .setExpiration(new Date(now.getTime() + expiration))
       .compact();
     //J+
   }