diff --git a/src/api/private/tokens/tokens.controller.ts b/src/api/private/tokens/tokens.controller.ts
index d0de614a6..df36d4e6d 100644
--- a/src/api/private/tokens/tokens.controller.ts
+++ b/src/api/private/tokens/tokens.controller.ts
@@ -16,6 +16,7 @@ import {
 import { ApiTags } from '@nestjs/swagger';
 
 import {
+  AuthTokenCreateDto,
   AuthTokenDto,
   AuthTokenWithSecretDto,
 } from '../../../auth/auth-token.dto';
@@ -23,7 +24,6 @@ import { AuthService } from '../../../auth/auth.service';
 import { SessionGuard } from '../../../identity/session.guard';
 import { ConsoleLoggerService } from '../../../logger/console-logger.service';
 import { User } from '../../../users/user.entity';
-import { TimestampMillis } from '../../../utils/timestamp';
 import { OpenApi } from '../../utils/openapi.decorator';
 import { RequestUser } from '../../utils/request-user.decorator';
 
@@ -50,11 +50,14 @@ export class TokensController {
   @Post()
   @OpenApi(201)
   async postTokenRequest(
-    @Body('label') label: string,
-    @Body('validUntil') validUntil: TimestampMillis,
+    @Body() createDto: AuthTokenCreateDto,
     @RequestUser() user: User,
   ): Promise<AuthTokenWithSecretDto> {
-    return await this.authService.createTokenForUser(user, label, validUntil);
+    return await this.authService.createTokenForUser(
+      user,
+      createDto.label,
+      createDto.validUntil,
+    );
   }
 
   @Delete('/:keyId')
diff --git a/src/auth/auth-token.dto.ts b/src/auth/auth-token.dto.ts
index dbf2c92b8..07859dd9a 100644
--- a/src/auth/auth-token.dto.ts
+++ b/src/auth/auth-token.dto.ts
@@ -4,9 +4,10 @@
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 import { Type } from 'class-transformer';
-import { IsDate, IsOptional, IsString } from 'class-validator';
+import { IsDate, IsNumber, IsOptional, IsString } from 'class-validator';
 
 import { BaseDto } from '../utils/base.dto.';
+import { TimestampMillis } from '../utils/timestamp';
 
 export class AuthTokenDto extends BaseDto {
   @IsString()
@@ -33,3 +34,11 @@ export class AuthTokenWithSecretDto extends AuthTokenDto {
   @IsString()
   secret: string;
 }
+
+export class AuthTokenCreateDto extends BaseDto {
+  @IsString()
+  label: string;
+
+  @IsNumber()
+  validUntil: TimestampMillis;
+}
diff --git a/test/private-api/tokens.e2e-spec.ts b/test/private-api/tokens.e2e-spec.ts
index bb8917f08..f85e604ec 100644
--- a/test/private-api/tokens.e2e-spec.ts
+++ b/test/private-api/tokens.e2e-spec.ts
@@ -45,12 +45,15 @@ describe('Tokens', () => {
       .post('/api/private/tokens')
       .send({
         label: tokenName,
+        validUntil: 0,
       })
       .expect('Content-Type', /json/)
       .expect(201);
     keyId = response.body.keyId;
     expect(response.body.label).toBe(tokenName);
-    expect(response.body.validUntil).toBe(null);
+    expect(new Date(response.body.validUntil).getTime()).toBeGreaterThan(
+      Date.now(),
+    );
     expect(response.body.lastUsedAt).toBe(null);
     expect(response.body.secret.length).toBe(98);
   });
@@ -62,7 +65,9 @@ describe('Tokens', () => {
       .expect('Content-Type', /json/)
       .expect(200);
     expect(response.body[0].label).toBe(tokenName);
-    expect(response.body[0].validUntil).toBe(null);
+    expect(new Date(response.body[0].validUntil).getTime()).toBeGreaterThan(
+      Date.now(),
+    );
     expect(response.body[0].lastUsedAt).toBe(null);
     expect(response.body[0].secret).not.toBeDefined();
   });