diff --git a/rest.js b/rest.js
index 6c96ea1..7eabd6d 100644
--- a/rest.js
+++ b/rest.js
@@ -11,11 +11,23 @@ function makeB64UrlSafe(b64) {
 function timespan(duration, max) {
   var timestamp = Math.floor(Date.now() / 1000);
 
+  if (!duration) {
+    return;
+  }
   if (typeof duration === 'string') {
-    duration = Math.floor(require('ms')(duration) / 1000);
+    duration = Math.floor(require('ms')(duration) / 1000) || 0;
   }
   if (typeof duration !== 'number') {
-    return timestamp;
+    return 0;
+  }
+  // Handle the case where the user gave us a timestamp instead of duration for the expiration.
+  // Also make the maximum explicitly defined expiration as one year.
+  if (duration > 31557600) {
+    if (duration > timestamp) {
+      return duration - timestamp;
+    } else {
+      return 31557600;
+    }
   }
 
   if (max && timestamp+duration > max) {
@@ -461,8 +473,16 @@ module.exports.create = function (bigconf, deps, app) {
             kid: jwk.kid
           }
         };
-        var accessOpts  = {expiresIn: timespan(req.body.exp || '1d', token_info.exp)};
-        var refreshOpts = {expiresIn: timespan(req.body.refresh_exp, token_info.exp)};
+        var accessOpts  = {};
+        // We set `expiresIn` like this to make it possible to send `null` and `exp` to have
+        // no expiration while still having a default of 1 day.
+        if (req.body.hasOwnProperty('exp')) {
+          accessOpts.expiresIn = timespan(req.body.exp, token_info.exp);
+        } else {
+          accessOpts.expiresIn = timespan('1d', token_info.exp);
+        }
+        var refreshOpts = {};
+        refreshOpts.expiresIn = timespan(req.body.refresh_exp, token_info.exp);
 
         var jwt = require('jsonwebtoken');
         var result = {};