Tokens should have unlimited lifetime, but should not be sufficient for performing sensitive/destructive actions like deleting account or changing credentials. Forcing a user to enter their password again just because a token "expired" is phishy behavior and makes your users less safe, not more. (Because once they've come to expect this to happen, they'll gladly also enter their password to phishing sites.)
↧