diff --git a/lib/auth/access.go b/lib/auth/access.go
index 44f912a6811e0..93d1d5d05cf85 100644
--- a/lib/auth/access.go
+++ b/lib/auth/access.go
@@ -22,6 +22,7 @@ import (
 	"context"
 	"errors"
 	"slices"
+	"time"
 
 	"github.com/gravitational/trace"
 
@@ -190,6 +191,11 @@ func (a *Server) UpsertLock(ctx context.Context, lock types.Lock) error {
 		return trace.Wrap(err)
 	}
 
+	var expiresTime time.Time
+	// leave as 0 if no lock expiration was set
+	if le := lock.LockExpiry(); le != nil {
+		expiresTime = le.UTC()
+	}
 	um := authz.ClientUserMetadata(ctx)
 	if err := a.emitter.EmitAuditEvent(a.closeCtx, &apievents.LockCreate{
 		Metadata: apievents.Metadata{
@@ -199,6 +205,7 @@ func (a *Server) UpsertLock(ctx context.Context, lock types.Lock) error {
 		UserMetadata: um,
 		ResourceMetadata: apievents.ResourceMetadata{
 			Name:      lock.GetName(),
+			Expires:   expiresTime,
 			UpdatedBy: um.User,
 		},
 		Target: lock.Target(),
diff --git a/lib/auth/access_test.go b/lib/auth/access_test.go
index 692b0f9985989..ca58c9f0a0b75 100644
--- a/lib/auth/access_test.go
+++ b/lib/auth/access_test.go
@@ -183,6 +183,8 @@ func TestUpsertDeleteLockEventsEmitted(t *testing.T) {
 		Target: types.LockTarget{MFADevice: "mfa-device-id"},
 	})
 	require.NoError(t, err)
+	futureTime := time.Now().UTC().Add(12 * time.Hour)
+	lock.SetLockExpiry(&futureTime)
 
 	// Creating a lock should emit a LockCreatedEvent.
 	err = p.a.UpsertLock(ctx, lock)
@@ -190,6 +192,7 @@ func TestUpsertDeleteLockEventsEmitted(t *testing.T) {
 	require.Equal(t, events.LockCreatedEvent, p.mockEmitter.LastEvent().GetType())
 	require.Equal(t, lock.GetName(), p.mockEmitter.LastEvent().(*apievents.LockCreate).Name)
 	require.Equal(t, lock.Target(), p.mockEmitter.LastEvent().(*apievents.LockCreate).Target)
+	require.Equal(t, lock.LockExpiry().UTC(), p.mockEmitter.LastEvent().(*apievents.LockCreate).Expires)
 	p.mockEmitter.Reset()
 
 	// When a lock update results in an error, no event should be emitted.