diff --git a/clients/go/admin/deviceflow/payload.go b/clients/go/admin/deviceflow/payload.go
index 656e1a88d..38e8b5502 100644
--- a/clients/go/admin/deviceflow/payload.go
+++ b/clients/go/admin/deviceflow/payload.go
@@ -40,5 +40,6 @@ type DeviceAccessTokenRequest struct {
 
 type DeviceAccessTokenResponse struct {
 	oauth2.Token
-	Error string `json:"error"`
+	Error     string `json:"error"`
+	ExpiresIn int64  `json:"expires_in"` // relative seconds from now
 }
diff --git a/clients/go/admin/deviceflow/token_orchestrator.go b/clients/go/admin/deviceflow/token_orchestrator.go
index c187d586d..b43d1d639 100644
--- a/clients/go/admin/deviceflow/token_orchestrator.go
+++ b/clients/go/admin/deviceflow/token_orchestrator.go
@@ -131,6 +131,9 @@ func (t TokenOrchestrator) PollTokenEndpoint(ctx context.Context, tokReq DeviceA
 				return nil, fmt.Errorf("oauth error : %v", tokResp.Error)
 			}
 		} else {
+			if secs := tokResp.ExpiresIn; secs > 0 {
+				tokResp.Token.Expiry = time.Now().Add(time.Duration(secs) * time.Second)
+			}
 			// Got the auth token in the response and save it in the cache
 			err = t.TokenCache.SaveToken(&tokResp.Token)
 			// Saving into the cache is only considered to be a warning in this case.
diff --git a/clients/go/admin/deviceflow/token_orchestrator_test.go b/clients/go/admin/deviceflow/token_orchestrator_test.go
index 7f6debdfd..df15c0d3a 100644
--- a/clients/go/admin/deviceflow/token_orchestrator_test.go
+++ b/clients/go/admin/deviceflow/token_orchestrator_test.go
@@ -87,6 +87,7 @@ func TestFetchFromAuthFlow(t *testing.T) {
 					Token: oauth2.Token{
 						AccessToken: "access_token",
 					},
+					ExpiresIn: 300,
 				}
 				darBytes, err := json.Marshal(dar)
 				assert.Nil(t, err)
@@ -121,5 +122,6 @@ func TestFetchFromAuthFlow(t *testing.T) {
 		assert.Nil(t, err)
 		assert.NotNil(t, authToken)
 		assert.Equal(t, "access_token", authToken.AccessToken)
+		assert.True(t, authToken.Expiry.After(time.Now().Add(time.Second*200)))
 	})
 }