diff --git a/terraform/lambda-src/password_set/handler.py b/terraform/lambda-src/password_set/handler.py
index eff307d..6311e13 100644
--- a/terraform/lambda-src/password_set/handler.py
+++ b/terraform/lambda-src/password_set/handler.py
@@ -33,7 +33,7 @@
 TEAM_PROVISIONER_FUNCTION = os.environ.get(
     "TEAM_PROVISIONER_FUNCTION", "javabin-team-provisioner"
 )
-PASSWORD_TOKEN_TTL = 48 * 3600  # 48 hours
+PASSWORD_TOKEN_TTL = 60 * 86400  # 60 days — single-use via DynamoDB
 
 _secret_cache = {}
 
@@ -106,11 +106,7 @@ def _validate_token(token):
     except Exception:
         return None, "Invalid token payload"
 
-    # Check expiry
-    if time.time() > payload.get("exp", 0):
-        return None, "Token has expired"
-
-    # Check single-use via DynamoDB
+    # Check single-use via DynamoDB (no time-based expiry — tokens are one-time use only)
     jti = payload.get("jti", "")
     dedup_key = f"pwset:{jti}"
     try:
@@ -129,7 +125,7 @@ def _mark_token_used(jti):
         _dedup_table().put_item(Item={
             "finding_key": f"pwset:{jti}",
             "used_at": int(time.time()),
-            "expires_at": int(time.time()) + (30 * 86400),
+            "expires_at": int(time.time()) + (60 * 86400),  # Match token lifetime
         })
     except Exception as e:
         logger.warning("Failed to mark token used: %s", e)
diff --git a/terraform/lambda-src/team_provisioner/handler.py b/terraform/lambda-src/team_provisioner/handler.py
index a672e3a..b8289d1 100644
--- a/terraform/lambda-src/team_provisioner/handler.py
+++ b/terraform/lambda-src/team_provisioner/handler.py
@@ -256,7 +256,7 @@ def _send_welcome_email(access_token, javabin_email, personal_email, firstname,
     if password_set_url:
         password_section = f"""\
             <p style="color:#333;font-size:16px;line-height:1.6;">
-              Klikk p\u00e5 knappen under for \u00e5 sette passordet ditt. Lenken er gyldig i 48 timer.
+              Klikk p\u00e5 knappen under for \u00e5 sette passordet ditt. Lenken kan kun brukes \u00e9n gang.
             </p>
             <table cellpadding="0" cellspacing="0" style="margin:24px 0;">
               <tr><td align="center" style="background-color:#f05350;border-radius:6px;">
@@ -1516,7 +1516,7 @@ def _generate_password_set_url(email):
     signing_key = _get_ssm_param(SIGNING_KEY_PARAM)
     payload = json.dumps({
         "email": email,
-        "exp": int(time.time()) + 48 * 3600,  # 48 hours
+        "exp": int(time.time()) + 60 * 86400,  # 60 days — single-use
         "jti": str(uuid.uuid4()),
     })
     payload_b64 = _b64url(payload)
