You can set up a Not Before policy at the realm or client level. You have the option to PUSH this value to the client adapters that have a admin url set up. Not Before policy is also piggybacked with AccessTokenResponse too. Adapters recheck the not before policy before each request and will force a re-auth if the token is stale. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com