diff --git a/src/backend/libpq/auth-oauth.c b/src/backend/libpq/auth-oauth.c
index 11365048951..eef238417e7 100644
--- a/src/backend/libpq/auth-oauth.c
+++ b/src/backend/libpq/auth-oauth.c
@@ -684,6 +684,13 @@ validate(Port *port, const char *auth)
 		goto cleanup;
 	}
 
+	/*
+	 * Store the token expiration time in the Port structure. This allows
+	 * the backend to enforce session limits.
+	 */
+	if (ret->expiry > 0)
+		port->expiry = ret->expiry;
+
 	if (port->hba->oauth_skip_usermap)
 	{
 		/*
diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h
index 921b2daa4ff..9bc9625d0ba 100644
--- a/src/include/libpq/libpq-be.h
+++ b/src/include/libpq/libpq-be.h
@@ -238,6 +238,14 @@ typedef struct Port
 	char	   *raw_buf;
 	ssize_t		raw_buf_consumed,
 				raw_buf_remaining;
+
+	/*
+	 * The expiration time of the authentication credential. If non-zero, it
+	 * represents the point in time after which the current session is considered
+	 * invalid.
+	 */
+	TimestampTz expiry;
+
 } Port;
 
 /*
diff --git a/src/include/libpq/oauth.h b/src/include/libpq/oauth.h
index 4a822e9a1f2..e7e360d9416 100644
--- a/src/include/libpq/oauth.h
+++ b/src/include/libpq/oauth.h
@@ -49,6 +49,12 @@ typedef struct ValidatorModuleResult
 	 * delegation. See the validator module documentation for details.
 	 */
 	char	   *authn_id;
+
+	/*
+	 * The expiration time of the token (e.g., from the 'exp' claim).
+	 * If provided, the backend can use this to limit session duration.
+	 */
+	TimestampTz expiry;
 } ValidatorModuleResult;
 
 /*