gh auth token can be used to display the token, even when it is kept in "secure storage" (#449).

I am concerned about such tokens being exfiltrated, but could not find any documentation regarding the lifetime of OAuth tokens.

So, the question is:

When the gh CLI is authorized as an OAuth app, does the token change over time and if yes, how frequently is that the case?

When authenticating gh through a PAT that users create themselves, the expiration time can be controlled and/or will be restricted through GitHub organization settings.