diff --git a/http/oauth2/introspection.go b/http/oauth2/introspection.go
index 915207ca2..f1fa3866b 100644
--- a/http/oauth2/introspection.go
+++ b/http/oauth2/introspection.go
@@ -29,6 +29,7 @@ type IntrospectResponse struct {
 	Scope    string `json:"scope"`
 	ClientID string `json:"client_id"`
 	UserID   string `json:"user_id"`
+	AuthTime int64  `json:"auth_time"`
 
 	// Backend identifies the backend used for introspection. This attribute
 	// exists as a convenience if you have more than one authorization backend
diff --git a/http/oauth2/oauth2.go b/http/oauth2/oauth2.go
index b27f44831..fe6a77d0c 100644
--- a/http/oauth2/oauth2.go
+++ b/http/oauth2/oauth2.go
@@ -9,10 +9,9 @@ package oauth2
 import (
 	"context"
 	"errors"
-	"net/http"
-
 	"github.com/opentracing/opentracing-go"
 	olog "github.com/opentracing/opentracing-go/log"
+	"net/http"
 
 	"github.com/pace/bricks/http/security"
 	"github.com/pace/bricks/maintenance/log"
@@ -46,6 +45,7 @@ type token struct {
 	value    string
 	userID   string
 	clientID string
+	authTime int64
 	scope    Scope
 	backend  interface{}
 }
@@ -102,6 +102,7 @@ func fromIntrospectResponse(s *IntrospectResponse, tokenValue string) token {
 	t := token{
 		userID:   s.UserID,
 		value:    tokenValue,
+		authTime: s.AuthTime,
 		clientID: s.ClientID,
 		backend:  s.Backend,
 	}
@@ -141,6 +142,16 @@ func UserID(ctx context.Context) (string, bool) {
 	return oauth2token.userID, true
 }
 
+// AuthTime returns the auth time stored in ctx as unix timestamp
+func AuthTime(ctx context.Context) (int64, bool) {
+	tok, _ := security.GetTokenFromContext(ctx)
+	oauth2token, ok := tok.(*token)
+	if !ok {
+		return 0, false
+	}
+	return oauth2token.authTime, true
+}
+
 // Scopes returns the scopes stored in ctx
 func Scopes(ctx context.Context) []string {
 	tok, _ := security.GetTokenFromContext(ctx)