The security token and client id granted to the caller after authentication represent a REST API session. As long as the server remains active (not rebooted), and the credentials are continually used, the session will not expire. If there is no activity on the session after 30 minutes, the session will expire and a 401 Unauthorized response will be returned for all operations. This idle timeout can be configured on the server using the OAS Configuration app. Go to Configure > Options, select your OAS server (usually localhost when configuring the current machine) and then go to the Networking tab. Here you can set the REST API Session Timeout in minutes.