diff --git a/tf-stage2/keycloak.tf b/tf-stage2/keycloak.tf
index 94dd79dd48b47e4d5fc394b8c689bc13c4bfd17e..35c26ffc1df4539fdc258b36733ac7722c22640d 100644
--- a/tf-stage2/keycloak.tf
+++ b/tf-stage2/keycloak.tf
@@ -94,6 +94,9 @@ resource "keycloak_realm" "archlinux" {
   registration_flow      = "Arch Registration"
   reset_credentials_flow = "Arch Reset Credentials"
 
+  // set one hour validity for password reset mails etc
+  action_token_generated_by_user_lifespan = "60m0s"
+
   smtp_server {
     host              = "mail.archlinux.org"
     from              = "accounts@archlinux.org"