diff --git a/cmd/dex/config.go b/cmd/dex/config.go
index 6e93478b614636a038fc1cb17ec76396174deeee..6109489a5ab1ed74535e0b8d96db737e3e87c9ad 100644
--- a/cmd/dex/config.go
+++ b/cmd/dex/config.go
@@ -27,6 +27,7 @@ type Config struct {
 	Web        Web         `json:"web"`
 	OAuth2     OAuth2      `json:"oauth2"`
 	GRPC       GRPC        `json:"grpc"`
+	Expiry     Expiry      `json:"expiry"`
 
 	Templates server.TemplateConfig `json:"templates"`
 
@@ -210,3 +211,12 @@ func (c *Connector) UnmarshalJSON(b []byte) error {
 	}
 	return nil
 }
+
+// Expiry holds configuration for the validity period of components.
+type Expiry struct {
+	// SigningKeys defines the duration of time after which the SigningKeys will be rotated.
+	SigningKeys string `json:"signingKeys"`
+
+	// IdTokens defines the duration of time for which the IdTokens will be valid.
+	IDTokens string `json:"idTokens"`
+}
diff --git a/cmd/dex/config_test.go b/cmd/dex/config_test.go
index e49d98ac2ade5f4d11dc3944fc7e53020a11bf25..4bdf0acb4e4f2ce3d08139f4afcbd8981e716d2c 100644
--- a/cmd/dex/config_test.go
+++ b/cmd/dex/config_test.go
@@ -56,6 +56,10 @@ staticPasswords:
   hash: "JDJhJDEwJDMzRU1UMGNWWVZsUHk2V0FNQ0xzY2VMWWpXaHVIcGJ6NXl1Wnh1L0dBRmowM0o5THl0anV5"
   username: "foo"
   userID: "41331323-6f44-45e6-b3b9-2c4b60c02be5"
+
+expiry:
+  signingKeys: "6h"
+  idTokens: "24h"
 `)
 
 	want := Config{
@@ -113,6 +117,10 @@ staticPasswords:
 				UserID:   "41331323-6f44-45e6-b3b9-2c4b60c02be5",
 			},
 		},
+		Expiry: Expiry{
+			SigningKeys: "6h",
+			IDTokens:    "24h",
+		},
 	}
 
 	var c Config
diff --git a/cmd/dex/serve.go b/cmd/dex/serve.go
index 59679642ae80230959f367bab24ef9546ce384f4..24738a77a2909e1b9d3a5ab4a13a08ee55c5be14 100644
--- a/cmd/dex/serve.go
+++ b/cmd/dex/serve.go
@@ -10,6 +10,7 @@ import (
 	"net"
 	"net/http"
 	"os"
+	"time"
 
 	"github.com/ghodss/yaml"
 	"github.com/spf13/cobra"
@@ -152,6 +153,20 @@ func serve(cmd *cobra.Command, args []string) error {
 		TemplateConfig:         c.Templates,
 		EnablePasswordDB:       c.EnablePasswordDB,
 	}
+	if c.Expiry.SigningKeys != "" {
+		signingKeys, err := time.ParseDuration(c.Expiry.SigningKeys)
+		if err != nil {
+			return fmt.Errorf("parsing signingKeys expiry: %v", err)
+		}
+		serverConfig.RotateKeysAfter = signingKeys
+	}
+	if c.Expiry.IDTokens != "" {
+		idTokens, err := time.ParseDuration(c.Expiry.IDTokens)
+		if err != nil {
+			return fmt.Errorf("parsing idTokens expiry: %v", err)
+		}
+		serverConfig.IDTokensValidFor = idTokens
+	}
 
 	serv, err := server.NewServer(context.Background(), serverConfig)
 	if err != nil {
diff --git a/examples/config-dev.yaml b/examples/config-dev.yaml
index b6a4dc09049868570eeb7ebbe4759d2a13112112..134f2766bc7e9c9644a394aff6dd4c1832cdee12 100644
--- a/examples/config-dev.yaml
+++ b/examples/config-dev.yaml
@@ -62,3 +62,7 @@ staticPasswords:
   username: "admin"
   userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
 
+# Uncomment this block to enable configuration for the expiration time durations.
+# expiry:
+#   signingKeys: "6h"
+#   idTokens: "24h"