diff --git a/client.go b/client.go
index f06ca1e..7c7d46f 100644
--- a/client.go
+++ b/client.go
@@ -108,7 +108,8 @@ type ConfigHost struct {
 }
 
 type ConfigEndpointOIDC struct {
-	Email string
+	Email     string
+	ExpiresAt *time.Time
 }
 
 // Enroll issues an enrollment request against the REST API using the given enrollment code, passing along a locally
@@ -185,7 +186,8 @@ func (c *Client) Enroll(ctx context.Context, logger logrus.FieldLogger, code str
 
 	if r.EndpointOIDCMeta != nil {
 		meta.EndpointOIDC = &ConfigEndpointOIDC{
-			Email: r.EndpointOIDCMeta.Email,
+			Email:     r.EndpointOIDCMeta.Email,
+			ExpiresAt: r.EndpointOIDCMeta.ExpiresAt,
 		}
 	}
 
@@ -369,7 +371,8 @@ func (c *Client) DoUpdate(ctx context.Context, creds keys.Credentials) ([]byte,
 
 	if result.EndpointOIDCMeta != nil {
 		meta.EndpointOIDC = &ConfigEndpointOIDC{
-			Email: result.EndpointOIDCMeta.Email,
+			Email:     result.EndpointOIDCMeta.Email,
+			ExpiresAt: result.EndpointOIDCMeta.ExpiresAt,
 		}
 	}
 
diff --git a/client_test.go b/client_test.go
index b47c170..6624a31 100644
--- a/client_test.go
+++ b/client_test.go
@@ -51,6 +51,7 @@ func TestEnroll(t *testing.T) {
 	hostName := "foo host"
 	hostIP := "192.168.100.1"
 	oidcEmail := "demo@defined.net"
+	oidcExpiresAt := time.Now()
 	counter := uint(5)
 	ca, _ := dnapitest.NebulaCACert()
 	caPEM, err := ca.MarshalToPEM()
@@ -94,7 +95,8 @@ func TestEnroll(t *testing.T) {
 					IPAddress: hostIP,
 				},
 				EndpointOIDCMeta: &message.HostEndpointOIDCMetadata{
-					Email: oidcEmail,
+					Email:     oidcEmail,
+					ExpiresAt: &oidcExpiresAt,
 				},
 			},
 		})
@@ -144,6 +146,7 @@ func TestEnroll(t *testing.T) {
 	assert.Equal(t, hostName, meta.Host.Name)
 	assert.Equal(t, hostIP, meta.Host.IPAddress)
 	assert.Equal(t, oidcEmail, meta.EndpointOIDC.Email)
+	assert.WithinDuration(t, oidcExpiresAt, *meta.EndpointOIDC.ExpiresAt, 1*time.Second)
 
 	// Test error handling
 	errorMsg := "invalid enrollment code"
@@ -407,7 +410,8 @@ func TestDoUpdate(t *testing.T) {
 				IPAddress: hostIP,
 			},
 			EndpointOIDCMeta: &message.HostEndpointOIDCMetadata{
-				Email: oidcEmail,
+				Email:     oidcEmail,
+				ExpiresAt: nil,
 			},
 		}
 		rawRes := jsonMarshal(newConfigResponse)
@@ -437,6 +441,7 @@ func TestDoUpdate(t *testing.T) {
 	assert.Equal(t, hostName, meta.Host.Name)
 	assert.Equal(t, hostIP, meta.Host.IPAddress)
 	assert.Equal(t, oidcEmail, meta.EndpointOIDC.Email)
+	assert.Nil(t, meta.EndpointOIDC.ExpiresAt)
 
 }
 
diff --git a/message/message.go b/message/message.go
index 99cee3f..c3ef62d 100644
--- a/message/message.go
+++ b/message/message.go
@@ -220,7 +220,8 @@ type HostHostMetadata struct {
 
 // HostEndpointOIDCMetadata is included in EnrollResponseData.
 type HostEndpointOIDCMetadata struct {
-	Email string `json:"email"`
+	Email     string     `json:"email"`
+	ExpiresAt *time.Time `json:"expiresAt"`
 }
 
 // PreAuthEndpoint is called when starting an OIDC auth flow.