From bdf433129475f8e251013f82ab5ab5a0f6e96249 Mon Sep 17 00:00:00 2001
From: jamesfalkner <schtool@gmail.com>
Date: Fri, 26 Jul 2019 16:44:31 -0400
Subject: [PATCH] warning

---
 docs/security.adoc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/docs/security.adoc b/docs/security.adoc
index cbdd52a..7f4b1ac 100644
--- a/docs/security.adoc
+++ b/docs/security.adoc
@@ -217,6 +217,11 @@ Access forbidden: role not allowed
 
 Alice is not an admin. Let's try with admin!
 
+[WARNING]
+====
+Access Tokens have a defined lifespan that's typically short (e.g. 5 minutes), so if you wait too long, the token will expire and you'll get denied access. In this case, just re-fetch a new token using the same `curl` command used the first time. Full-fledged applications can take advantage of things like https://oauth.net/2/grant-types/refresh-token/[_Refresh Tokens_] to do this automatically to ensure a good user experience even for slow users.
+====
+
 === Test Admin
 
 Obtain an Admin token: