...
Gateway stores all tokens within the administrative domain as automatically expiring objects using the object lifepoint feature. The expiration time of an authentication token can be specified when the token is created. A default expiration time is assigned based on the tokenTTLHours parameter in the [gateway] section of the gateway.cfg file if the time is not specified. The request proceeds as an anonymous user subject to all of the normal access control policies if an expired token is presented to Gateway. The Set-Cookie header of the response instructs the HTTP client to delete the expired token cookie.
...