diff --git a/src/models/token.js b/src/models/token.js
index 0694bb186..b12ab7fd1 100644
--- a/src/models/token.js
+++ b/src/models/token.js
@@ -1,26 +1,10 @@
 import Collection from '../collection/redis'
 import Model from '../model'
-import {generateToken} from '../utils'
 
 // ===================================================================
 
-export default class Token extends Model {
-  static generate (userId) {
-    return generateToken().then(token => new Token({
-      id: token,
-      user_id: userId
-    }))
-  }
-}
+export default class Token extends Model {}
 
 // -------------------------------------------------------------------
 
-export class Tokens extends Collection {
-  get Model () {
-    return Token
-  }
-
-  generate (userId) {
-    return Token.generate(userId).then(token => this.add(token))
-  }
-}
+export class Tokens extends Collection {}
diff --git a/src/xo.js b/src/xo.js
index 6bfca06ca..abed00fd8 100644
--- a/src/xo.js
+++ b/src/xo.js
@@ -34,6 +34,7 @@ import {
   forEach,
   isEmpty,
   mapToArray,
+  noop,
   safeDateFormat
 } from './utils'
 import {generateToken} from './utils'
@@ -50,7 +51,7 @@ import {PluginsMetadata} from './models/plugin-metadata'
 import {Remotes} from './models/remote'
 import {Schedules} from './models/schedule'
 import {Servers} from './models/server'
-import {Tokens} from './models/token'
+import Token, {Tokens} from './models/token'
 import {Users} from './models/user'
 
 // ===================================================================
@@ -873,9 +874,15 @@ export default class Xo extends EventEmitter {
   // -----------------------------------------------------------------
 
   async createAuthenticationToken ({userId}) {
-    // TODO: use plain objects
-    const token = await this._tokens.generate(userId)
+    const token = new Token({
+      id: await generateToken(),
+      user_id: userId,
+      expiration: Date.now() + 1e3 * 60 * 60 * 24 * 30 // 1 month validity.
+    })
 
+    await this._tokens.add(token)
+
+    // TODO: use plain properties directly.
     return token.properties
   }
 
@@ -886,12 +893,22 @@ export default class Xo extends EventEmitter {
   }
 
   async getAuthenticationToken (id) {
-    const token = await this._tokens.first(id)
+    let token = await this._tokens.first(id)
     if (!token) {
       throw new NoSuchAuthenticationToken(id)
     }
 
-    return token.properties
+    token = token.properties
+
+    if (!(
+      token.expiration > Date.now()
+    )) {
+      this._tokens.remove(id).catch(noop)
+
+      throw new NoSuchAuthenticationToken(id)
+    }
+
+    return token
   }
 
   // -----------------------------------------------------------------