OAuth Will Murder Your Children – for one week only!

Yes to variable expiry, but on refresh tokens not access tokens. Access tokens should always be short lived to the point you don't care. But stick it on the refresh token (or make it standard to allow no refresh at all, so it expires after that first hour) - that'd be cool!