I am a Developer Advocate for Security in Mobile Apps and APIs at approov.io.
Another passion is the Elixir programming language that was designed to be concurrent, distributed and fault tolerant.
Location
Scotland
Education
Self teached Developer
Work
Developer Advocate for Mobile and API Security at approov.io
I would suggest that setting an expiration date less than 10 years in the future is probably a best practice.
I would say that you should always set one, that expires in some minutes, and use refresh tokens to extend the login session for some more time ;)