By default, the OAuth 2 token that is generated in an Apigility app expires in 1 hour. Upon expiry, the client is expected to use the refresh token to get a new access token.
You can see this when you authenticate via a POST to /oauth as you get this response back:
{ "access_token": "3812aaea7640a2567c66e21e2587450821103552", "expires_in": 3600, "token_type": "Bearer", "scope": null, "refresh_token": "72d5df08c971526a4ba7c83ec2a7b92d82d9715b" }
If you need longer than 1 hour, then simply add this top level configuration setting:
'zf-oauth2' => [ 'access_lifetime' => 7200, ],
The access_lifetime key controls the expiry time and is in seconds, so in this case I’ve set it to 2 hours.
Source: AKRABAT