diff --git a/backend/ee-repo-ref.txt b/backend/ee-repo-ref.txt
index 1ff8cc8af9778..8c6e6d7338194 100644
--- a/backend/ee-repo-ref.txt
+++ b/backend/ee-repo-ref.txt
@@ -1 +1 @@
-c559aa1896dafc98a5000ce1a77bd28a9e087363
+0d72102809e766d5285a162dcc30055847700ee2
diff --git a/backend/windmill-api/openapi.yaml b/backend/windmill-api/openapi.yaml
index 912cc477c507f..67851c993e0ae 100644
--- a/backend/windmill-api/openapi.yaml
+++ b/backend/windmill-api/openapi.yaml
@@ -3463,6 +3463,10 @@ paths:
           required: true
           schema:
             type: string
+        - name: expires_in
+          in: query
+          schema:
+            type: number
 
       responses:
         "200":
diff --git a/python-client/wmill/wmill/client.py b/python-client/wmill/wmill/client.py
index cf6d1f9d51944..eaad83b25ea5e 100644
--- a/python-client/wmill/wmill/client.py
+++ b/python-client/wmill/wmill/client.py
@@ -413,8 +413,11 @@ def get_root_job_id(self, job_id: str | None = None) -> dict:
         job_id = job_id or os.environ.get("WM_JOB_ID")
         return self.get(f"/w/{self.workspace}/jobs_u/get_root_job_id/{job_id}").json()
 
-    def get_id_token(self, audience: str) -> str:
-        return self.post(f"/w/{self.workspace}/oidc/token/{audience}").text
+    def get_id_token(self, audience: str, expires_in: int | None = None) -> str:
+        params = {}
+        if expires_in is not None:
+            params["expires_in"] = expires_in
+        return self.post(f"/w/{self.workspace}/oidc/token/{audience}", params=params).text
 
     def get_job_status(self, job_id: str) -> JobStatus:
         job = self.get_job(job_id)
diff --git a/typescript-client/client.ts b/typescript-client/client.ts
index ab1c232ca6077..03f6f51a2f750 100644
--- a/typescript-client/client.ts
+++ b/typescript-client/client.ts
@@ -945,13 +945,15 @@ export function getResumeEndpoints(approver?: string): Promise<{
 /**
  * Get an OIDC jwt token for auth to external services (e.g: Vault, AWS) (ee only)
  * @param audience audience of the token
+ * @param expiresIn Optional number of seconds until the token expires
  * @returns jwt token
  */
-export async function getIdToken(audience: string): Promise<string> {
+export async function getIdToken(audience: string, expiresIn?: number): Promise<string> {
   const workspace = getWorkspace();
   return await OidcService.getOidcToken({
     workspace,
     audience,
+    expiresIn,
   });
 }