diff --git a/authentikos/authentikos.go b/authentikos/authentikos.go
index 96cad292e4e..61723eaeb49 100755
--- a/authentikos/authentikos.go
+++ b/authentikos/authentikos.go
@@ -77,7 +77,7 @@ const (
 var timeNow = time.Now
 
 // tokenCreator is a function that creates an oauth token.
-type tokenCreator func(forceRefresh bool, tries int) ([]byte, error)
+type tokenCreator func(forceRefresh bool, tries int) ([]byte, *time.Time, error)
 
 // secretCreator is a function that creates a kubernetes secret.
 type secretCreator func() ([]*corev1.Secret, namespacedErrors)
@@ -109,7 +109,8 @@ func (errs namespacedErrors) Errors() string {
 
 // tokenTemplate is the template data structure.
 type tokenTemplate struct {
-	Token string
+	Token  string
+	Expire int64
 }
 
 // options are the available command-line flags.
@@ -240,7 +241,7 @@ func withBackoff(factor float64, retry int, f interface{}) interface{} {
 	return f
 }
 
-func generateTokenData(o options, data []byte) ([]byte, error) {
+func generateTokenData(o options, data []byte, expiration *time.Time) ([]byte, error) {
 	var b bytes.Buffer
 
 	tmpl, err := template.New("TokenData").Funcs(sprig.FuncMap()).Parse(o.template)
@@ -248,7 +249,10 @@ func generateTokenData(o options, data []byte) ([]byte, error) {
 		return nil, err
 	}
 
-	err = tmpl.Execute(&b, &tokenTemplate{Token: string(data)})
+	err = tmpl.Execute(&b, &tokenTemplate{
+		Token:  string(data),
+		Expire: expiration.Unix(),
+	})
 	if err != nil {
 		return nil, err
 	}
@@ -299,9 +303,9 @@ func getOauthTokenCreator(o options) (tokenCreator, error) {
 		return client, err
 	}
 
-	create = func(forceRefresh bool, tries int) ([]byte, error) {
+	create = func(forceRefresh bool, tries int) ([]byte, *time.Time, error) {
 		if tries <= 0 {
-			return nil, fmt.Errorf("maximum tries: %d exceeded to force refresh token", maxTries)
+			return nil, nil, fmt.Errorf("maximum tries: %d exceeded to force refresh token", maxTries)
 		}
 
 		client, err := clientCreator(forceRefresh)
@@ -322,15 +326,15 @@ func getOauthTokenCreator(o options) (tokenCreator, error) {
 			return withBackoff(1, maxTries-tries, create).(tokenCreator)(true, tries-1)
 		}
 
-		return []byte(token.AccessToken), nil
+		return []byte(token.AccessToken), &token.Expiry, nil
 	}
 
 	return create, nil
 }
 
 // createOrUpdateSecret creates or updates a kubernetes secrets.
-func createOrUpdateSecret(o options, client v1.SecretsGetter, ns string, secretData []byte) (*corev1.Secret, error) {
-	data, err := generateTokenData(o, secretData)
+func createOrUpdateSecret(o options, client v1.SecretsGetter, ns string, secretData []byte, expiration *time.Time) (*corev1.Secret, error) {
+	data, err := generateTokenData(o, secretData, expiration)
 	if err != nil {
 		return nil, err
 	}
@@ -375,9 +379,9 @@ func getSecretCreator(o options, create tokenCreator) (secretCreator, error) {
 		)
 
 		for _, ns := range o.namespace {
-			if secretData, err := create(o.forceRefresh, maxTries); err != nil {
+			if secretData, expiration, err := create(o.forceRefresh, maxTries); err != nil {
 				errs = append(errs, &namespacedError{ns, err.Error()})
-			} else if secret, err := createOrUpdateSecret(o, client, ns, secretData); err != nil {
+			} else if secret, err := createOrUpdateSecret(o, client, ns, secretData, expiration); err != nil {
 				errs = append(errs, &namespacedError{ns, err.Error()})
 			} else {
 				secrets = append(secrets, secret)
diff --git a/authentikos/examples/authentikos-deployment.yaml b/authentikos/examples/authentikos-deployment.yaml
index 1fa5f89c696..1c065de4c04 100644
--- a/authentikos/examples/authentikos-deployment.yaml
+++ b/authentikos/examples/authentikos-deployment.yaml
@@ -71,7 +71,7 @@ spec:
         - --creds=/etc/creds/service-account.json
         - --namespace=default,test-pods
         - --scopes=https://www.googleapis.com/auth/devstorage.full_control
-        - --template='I acquired a {{.Token}} at {{now | date "3:04PM"}}'
+        - --template='I acquired a {{.Token}} at {{now | date "3:04PM"}} expire at {{.Expire}}'
         volumeMounts:
         - name: creds
           mountPath: /etc/creds
diff --git a/authentikos/examples/authentikos-grandmatriarch-deployment.yaml b/authentikos/examples/authentikos-grandmatriarch-deployment.yaml
index 4180bb1cf0f..05f5c70cbf1 100644
--- a/authentikos/examples/authentikos-grandmatriarch-deployment.yaml
+++ b/authentikos/examples/authentikos-grandmatriarch-deployment.yaml
@@ -73,8 +73,8 @@ spec:
         - --namespace=test-pods
         - --scopes=https://www.googleapis.com/auth/gerritcodereview
         - |
-          --template=.googlesource.com	TRUE	/	TRUE	{{now | unixEpoch | add 3600}}	o	{{.Token}}
-          source.developers.google.com	FALSE	/	TRUE	{{now | unixEpoch | add 3600}}	o	{{.Token}}
+          --template=.googlesource.com	TRUE	/	TRUE	{{.Expire}}	o	{{.Token}}
+          source.developers.google.com	FALSE	/	TRUE	{{.Expire}}	o	{{.Token}}
         volumeMounts:
         - name: creds
           mountPath: /etc/creds