---
title: Managing expired persistent grants in PingDS
description: Configure TTL settings in PingDS to remove expired data from your directory server.
component: pingfederate
version: 13.0
page_id: pingfederate:administrators_reference_guide:pf_managing_expired_persistent_grants_ds
canonical_url: https://docs.pingidentity.com/pingfederate/13.0/administrators_reference_guide/pf_managing_expired_persistent_grants_ds.html
section_ids:
  about-this-task: About this task
  steps: Steps
  related-links: Related links
---

# Managing expired persistent grants in PingDS

When storing OAuth persistent grants on a PingDS server, you can configure time-to-live (TTL) settings in PingDS to remove expired data from your directory server.

|   |                                                                                                                                                                                                                                         |
| - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | You must configure PingFederate to use `org.sourceid.oauth20.token.AccessGrantManagerLDAPPingDSV2Impl` for access grant storage. Learn more in [Configuring directories for grant storage](pf_config_directori_for_grant_storage.html). |

## About this task

In PingDS, you can use backend indexes to enable TTL for generalized time indexes. Learn more in [Backend Index](https://docs.pingidentity.com/pingds/latest/configref/objects-backend-index.html) in the PingDS documentation.

## Steps

1. Disable the PingFederate cleanup task.

   |   |                                                                                                                                      |
   | - | ------------------------------------------------------------------------------------------------------------------------------------ |
   |   | For a clustered PingFederate environment, make these change on the console node. No changes are required on any of the engine nodes. |

   1. Open the `<pf_install>/pingfederate/server/default/data/config-store/timer-intervals.xml` file in a text editor.

   2. Update the `AccessGrantCleanerInterval` value to `0`.

   3. Save your changes.

   4. Restart PingFederate.

2. Connect to the PingDS server.

3. Update the index using the PingDS `dsconfig` utility.

   The `dsconfig` utility is interactive. You can also provide inputs as command arguments.

4. To remove expired OAuth persistent grants, update the `accessGrantExpiresTime` index.

   ```shell
   $ dsconfig set-backend-index-prop \
    --hostname localhost \
    --port 4444 \
    --bindDN uid=admin \
    --bindPassword password \
    --backend-name dsEvaluation \
    --index-name accessGrantExpiresTime \
    --set ttl-enabled:true \
    --set ttl-age:0\ s \
    --usePkcs12TrustStore /path/to/opendj/config/keystore \
    --trustStorePassword:file /path/to/opendj/config/keystore.pin \
    --no-prompt
   ```

## Related links

* [Grant types](../introduction_to_pingfederate/pf_grant_types.html)

* [Grant storage and management](../introduction_to_pingfederate/pf_grant_stor_and_manage.html)

* [Indexing grant attributes in PingDS](pf_index_grant_attributes_pingds.html)