diff --git a/cluster/expected/infra/expected.json b/cluster/expected/infra/expected.json
index c5edae50e0..f363bc6bb1 100644
--- a/cluster/expected/infra/expected.json
+++ b/cluster/expected/infra/expected.json
@@ -100,6 +100,16 @@
       "crossOriginAuth": false,
       "description": " ** Managed by Pulumi, do not edit manually **\nUsed for the Wallet, ANS and Splitwell UIs for the Splitwell validator",
       "name": "Splitwell UI (Pulumi managed, test-stack)",
+      "oidcConformant": true,
+      "refreshToken": {
+        "expirationType": "expiring",
+        "idleTokenLifetime": 259200,
+        "infiniteIdleTokenLifetime": false,
+        "infiniteTokenLifetime": false,
+        "leeway": 5,
+        "rotationType": "rotating",
+        "tokenLifetime": 604800
+      },
       "webOrigins": [
         "https://wallet.splitwell.mock.network.canton.global",
         "https://wallet.splitwell.mock.global.canton.network.digitalasset.com",
@@ -170,6 +180,16 @@
       "crossOriginAuth": false,
       "description": " ** Managed by Pulumi, do not edit manually **\nUsed for the ANS UI for the SV runbook",
       "name": "ANS UI (Pulumi managed, test-stack)",
+      "oidcConformant": true,
+      "refreshToken": {
+        "expirationType": "expiring",
+        "idleTokenLifetime": 259200,
+        "infiniteIdleTokenLifetime": false,
+        "infiniteTokenLifetime": false,
+        "leeway": 5,
+        "rotationType": "rotating",
+        "tokenLifetime": 604800
+      },
       "webOrigins": [
         "https://cns.sv.mock.network.canton.global",
         "https://cns.sv.mock.global.canton.network.digitalasset.com"
@@ -210,6 +230,16 @@
       "crossOriginAuth": false,
       "description": " ** Managed by Pulumi, do not edit manually **\nUsed for the SV UI for the SV runbook",
       "name": "SV UI (Pulumi managed, test-stack)",
+      "oidcConformant": true,
+      "refreshToken": {
+        "expirationType": "expiring",
+        "idleTokenLifetime": 259200,
+        "infiniteIdleTokenLifetime": false,
+        "infiniteTokenLifetime": false,
+        "leeway": 5,
+        "rotationType": "rotating",
+        "tokenLifetime": 604800
+      },
       "webOrigins": [
         "https://sv.sv.mock.network.canton.global",
         "https://sv.sv.mock.global.canton.network.digitalasset.com"
@@ -250,6 +280,16 @@
       "crossOriginAuth": false,
       "description": " ** Managed by Pulumi, do not edit manually **\nUsed for the Wallet UI for the SV runbook",
       "name": "Wallet UI (Pulumi managed, test-stack)",
+      "oidcConformant": true,
+      "refreshToken": {
+        "expirationType": "expiring",
+        "idleTokenLifetime": 259200,
+        "infiniteIdleTokenLifetime": false,
+        "infiniteTokenLifetime": false,
+        "leeway": 5,
+        "rotationType": "rotating",
+        "tokenLifetime": 604800
+      },
       "webOrigins": [
         "https://wallet.sv.mock.network.canton.global",
         "https://wallet.sv.mock.global.canton.network.digitalasset.com"
@@ -2252,6 +2292,16 @@
       "crossOriginAuth": false,
       "description": " ** Managed by Pulumi, do not edit manually **\nUsed for the Wallet, ANS and SV UIs for SV sv-1",
       "name": "SV1 UI (Pulumi managed, test-stack)",
+      "oidcConformant": true,
+      "refreshToken": {
+        "expirationType": "expiring",
+        "idleTokenLifetime": 259200,
+        "infiniteIdleTokenLifetime": false,
+        "infiniteTokenLifetime": false,
+        "leeway": 5,
+        "rotationType": "rotating",
+        "tokenLifetime": 604800
+      },
       "webOrigins": [
         "https://wallet.sv-2.mock.network.canton.global",
         "https://wallet.sv-2.mock.global.canton.network.digitalasset.com",
@@ -2412,6 +2462,16 @@
       "crossOriginAuth": false,
       "description": " ** Managed by Pulumi, do not edit manually **\nUsed for the Wallet, ANS and SV UIs for SV sv-da-1",
       "name": "SVDA1 UI (Pulumi managed, test-stack)",
+      "oidcConformant": true,
+      "refreshToken": {
+        "expirationType": "expiring",
+        "idleTokenLifetime": 259200,
+        "infiniteIdleTokenLifetime": false,
+        "infiniteTokenLifetime": false,
+        "leeway": 5,
+        "rotationType": "rotating",
+        "tokenLifetime": 604800
+      },
       "webOrigins": [
         "https://wallet.sv-1.mock.network.canton.global",
         "https://wallet.sv-1.mock.global.canton.network.digitalasset.com",
@@ -2540,6 +2600,16 @@
       "crossOriginAuth": false,
       "description": " ** Managed by Pulumi, do not edit manually **\nUsed for the Wallet, ANS and Splitwell UIs for the standalone Validator1",
       "name": "Validator1 UI (Pulumi managed, test-stack)",
+      "oidcConformant": true,
+      "refreshToken": {
+        "expirationType": "expiring",
+        "idleTokenLifetime": 259200,
+        "infiniteIdleTokenLifetime": false,
+        "infiniteTokenLifetime": false,
+        "leeway": 5,
+        "rotationType": "rotating",
+        "tokenLifetime": 604800
+      },
       "webOrigins": [
         "https://wallet.validator1.mock.network.canton.global",
         "https://wallet.validator1.mock.global.canton.network.digitalasset.com",
@@ -2590,6 +2660,16 @@
       "crossOriginAuth": false,
       "description": " ** Managed by Pulumi, do not edit manually **\nUsed for the ANS UI for the validator runbook",
       "name": "ANS UI (Pulumi managed, test-stack)",
+      "oidcConformant": true,
+      "refreshToken": {
+        "expirationType": "expiring",
+        "idleTokenLifetime": 259200,
+        "infiniteIdleTokenLifetime": false,
+        "infiniteTokenLifetime": false,
+        "leeway": 5,
+        "rotationType": "rotating",
+        "tokenLifetime": 604800
+      },
       "webOrigins": [
         "https://cns.validator.mock.network.canton.global",
         "https://cns.validator.mock.global.canton.network.digitalasset.com",
@@ -2638,6 +2718,16 @@
       "crossOriginAuth": false,
       "description": " ** Managed by Pulumi, do not edit manually **\nUsed for the Wallet UI for the validator runbook",
       "name": "Wallet UI (Pulumi managed, test-stack)",
+      "oidcConformant": true,
+      "refreshToken": {
+        "expirationType": "expiring",
+        "idleTokenLifetime": 259200,
+        "infiniteIdleTokenLifetime": false,
+        "infiniteTokenLifetime": false,
+        "leeway": 5,
+        "rotationType": "rotating",
+        "tokenLifetime": 604800
+      },
       "webOrigins": [
         "https://wallet.validator.mock.network.canton.global",
         "https://wallet.validator.mock.global.canton.network.digitalasset.com",
diff --git a/cluster/pulumi/infra/src/auth0.ts b/cluster/pulumi/infra/src/auth0.ts
index 3db4e60cc3..6ab0ca6b26 100644
--- a/cluster/pulumi/infra/src/auth0.ts
+++ b/cluster/pulumi/infra/src/auth0.ts
@@ -226,6 +226,16 @@ function newUiApp(
       webOrigins: urls,
       crossOriginAuth: false,
       description: ` ** Managed by Pulumi, do not edit manually **\n${description}`,
+      oidcConformant: true,
+      refreshToken: {
+        rotationType: 'rotating',
+        expirationType: 'expiring',
+        tokenLifetime: 604800, // 7d
+        idleTokenLifetime: 259200, // 3d
+        infiniteTokenLifetime: false,
+        infiniteIdleTokenLifetime: false,
+        leeway: 5,
+      },
     },
     { provider: auth0DomainProvider }
   );