As @Harry Ninh said in the comments the token expiration tends to be a matter of your needs, most systems will let you configure this and its duration may be anything between a couple of minutes and forever. Also most systems have a token refresh method: it can be could be automatically after any use of the token, considering the expiration time of the token from the last time it was used; or it can be an explicit token refresh method. If I had to choose I'll go for the first method, but that's just an opinion.
At last, but not least, most systems also have a token revocation method that can be invoked to immediately invalidate the token.