oauth-wg · tulshi · Oct 6, 2025 · Oct 1, 2025
@@ -595,7 +595,7 @@ A successful response to a Txn-Token Request by a Transaction Token Service is c
 * The `access_token` value MUST be the Txn-Token JWT
 * The `issued_token_type` value MUST bet set to `urn:ietf:params:oauth:token-type:txn_token`
 
-The Txn-Token Response MUST NOT include the values `expires_in`, `refresh_token` and `scope`
+The Txn-Token Response MUST NOT include the `refresh_token` value.
 
 {{figtxtokenresponse}} shows a non-normative example of a Txn-Token Response.
 
@@ -666,8 +666,6 @@ A Txn-Token is not resistant to replay attacks. A long-lived Txn-Token therefore
 
 Because Txn-Tokens are short-lived, the Txn-Token response from the Txn-Token service does not contain the `refresh_token` field. A Txn-Token cannot be issued by presenting a `refresh_token`.
 
-The `expires_in` field of the OAuth 2.0 Token Exchange specification {{RFC8693}} is not used in Txn-Token responses since the issued token has an `exp` field, which indicates the token lifetime.
-
 ## Access Tokens
 When creating Txn-Tokens, the Txn-Token MUST NOT contain the Access Token presented to the external endpoint. If an Access Token is included in a Txn-Token, an attacker may extract the Access Token from the Txn-Token, and replay it to any Resource Server that can accept that Access Token. Txn-Token expiry does not protect against this attack since the Access Token may remain valid even after the Txn-Token has expired.