diff --git a/main.go b/main.go
index 1f6083ba4..189a2b56c 100644
--- a/main.go
+++ b/main.go
@@ -70,6 +70,7 @@ func main() {
 	region := flag.String("aws-default-region", "", "If set, AWS_DEFAULT_REGION and AWS_REGION will be set to this value in mutated containers")
 	regionalSTS := flag.Bool("sts-regional-endpoint", false, "Whether to inject the AWS_STS_REGIONAL_ENDPOINTS=regional env var in mutated pods. Defaults to `false`.")
 	watchConfigMap := flag.Bool("watch-config-map", false, "Enables watching serviceaccounts that are configured through the pod-identity-webhook configmap instead of using annotations")
+	flag.Int64Var(&pkg.MinTokenExpiration, "min-token-expiration", pkg.MinTokenExpiration, "Minimum token expiration in seconds. The value is used if user configured the shorter duration than this value")
 
 	version := flag.Bool("version", false, "Display the version and exit")
 
@@ -90,6 +91,10 @@ func main() {
 		os.Exit(0)
 	}
 
+	if pkg.MinTokenExpiration < 600 {
+		klog.Fatal("min-token-expiration must be at least 600 (10 min)")
+	}
+
 	config, err := clientcmd.BuildConfigFromFlags(*apiURL, *kubeconfig)
 	if err != nil {
 		klog.Fatalf("Error creating config: %v", err.Error())
diff --git a/pkg/constants.go b/pkg/constants.go
index 1e498afec..aad97cda7 100644
--- a/pkg/constants.go
+++ b/pkg/constants.go
@@ -18,6 +18,12 @@ const (
 	// Default token expiration in seconds if none is defined,
 	// which is 24hrs as that is max for EKS
 	DefaultTokenExpiration = int64(86400)
-	// 1hr is min for kube-apiserver
+)
+
+var (
+	// Minimum token expiration in seconds.
+	// The value is used if user configured the shorter duration than this value
+	// This value must be at least 600(=10min) due to kubernetes spec (ref ServiceAccountTokenProjection.ExpirationSeconds).
+	// Note: this can be configured by cli flags
 	MinTokenExpiration = int64(3600)
 )