diff --git a/internal/api/v1/auth/auth.go b/internal/api/v1/auth/auth.go
index 647c279d..40e70899 100644
--- a/internal/api/v1/auth/auth.go
+++ b/internal/api/v1/auth/auth.go
@@ -30,8 +30,6 @@ var (
 	ErrInvalidPassword = E.New("invalid password")
 )
 
-const tokenExpiration = 24 * time.Hour
-
 func validatePassword(cred *Credentials) error {
 	if cred.Username != common.APIUser {
 		return ErrInvalidUsername.Subject(cred.Username)
@@ -54,7 +52,7 @@ func LoginHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	expiresAt := time.Now().Add(tokenExpiration)
+	expiresAt := time.Now().Add(common.APIJWTTokenTTL)
 	claim := &Claims{
 		Username: creds.Username,
 		RegisteredClaims: jwt.RegisteredClaims{
diff --git a/internal/common/env.go b/internal/common/env.go
index d58880b2..de0b096f 100644
--- a/internal/common/env.go
+++ b/internal/common/env.go
@@ -6,6 +6,7 @@ import (
 	"os"
 	"strconv"
 	"strings"
+	"time"
 
 	"github.com/rs/zerolog/log"
 )
@@ -33,6 +34,7 @@ var (
 	APIHTTPURL = GetAddrEnv("GOPROXY_API_ADDR", "127.0.0.1:8888", "http")
 
 	APIJWTSecret    = decodeJWTKey(GetEnv("GOPROXY_API_JWT_SECRET", generateJWTKey(32)))
+	APIJWTTokenTTL  = GetDurationEnv("GOPROXY_API_JWT_TOKEN_TTL", time.Hour)
 	APIUser         = GetEnv("GOPROXY_API_USER", "admin")
 	APIPasswordHash = HashPassword(GetEnv("GOPROXY_API_PASSWORD", "password"))
 )
@@ -69,3 +71,15 @@ func GetAddrEnv(key, defaultValue, scheme string) (addr, host, port, fullURL str
 	fullURL = fmt.Sprintf("%s://%s:%s", scheme, host, port)
 	return
 }
+
+func GetDurationEnv(key string, defaultValue time.Duration) time.Duration {
+	value, ok := os.LookupEnv(key)
+	if !ok || value == "" {
+		return defaultValue
+	}
+	d, err := time.ParseDuration(value)
+	if err != nil {
+		log.Fatal().Msgf("env %s: invalid duration value: %s", key, value)
+	}
+	return d
+}