diff --git a/tests/framework/integration/cluster.go b/tests/framework/integration/cluster.go
index 82d4a7b41bbb..a9b0a098f49c 100644
--- a/tests/framework/integration/cluster.go
+++ b/tests/framework/integration/cluster.go
@@ -139,7 +139,8 @@ type ClusterConfig struct {
 
 	DiscoveryURL string
 
-	AuthToken string
+	AuthToken    string
+	AuthTokenTTL uint
 
 	QuotaBackendBytes int64
 
@@ -263,6 +264,7 @@ func (c *Cluster) mustNewMember(t testutil.TB) *Member {
 			Name:                        fmt.Sprintf("m%v", memberNumber),
 			MemberNumber:                memberNumber,
 			AuthToken:                   c.Cfg.AuthToken,
+			AuthTokenTTL:                c.Cfg.AuthTokenTTL,
 			PeerTLS:                     c.Cfg.PeerTLS,
 			ClientTLS:                   c.Cfg.ClientTLS,
 			QuotaBackendBytes:           c.Cfg.QuotaBackendBytes,
@@ -586,6 +588,7 @@ type MemberConfig struct {
 	PeerTLS                     *transport.TLSInfo
 	ClientTLS                   *transport.TLSInfo
 	AuthToken                   string
+	AuthTokenTTL                uint
 	QuotaBackendBytes           int64
 	MaxTxnOps                   uint
 	MaxRequestBytes             uint
@@ -679,6 +682,9 @@ func MustNewMember(t testutil.TB, mcfg MemberConfig) *Member {
 	if mcfg.AuthToken != "" {
 		m.AuthToken = mcfg.AuthToken
 	}
+	if mcfg.AuthTokenTTL != 0 {
+		m.TokenTTL = mcfg.AuthTokenTTL
+	}
 
 	m.BcryptCost = uint(bcrypt.MinCost) // use min bcrypt cost to speedy up integration testing
 
diff --git a/tests/integration/v3_auth_test.go b/tests/integration/v3_auth_test.go
index fd300ba78efb..2169b6f36f29 100644
--- a/tests/integration/v3_auth_test.go
+++ b/tests/integration/v3_auth_test.go
@@ -497,3 +497,36 @@ func TestV3AuthRestartMember(t *testing.T) {
 	_, err = c2.Put(context.TODO(), "foo", "bar2")
 	testutil.AssertNil(t, err)
 }
+
+func TestV3AuthWatchAndTokenExpire(t *testing.T) {
+	integration.BeforeTest(t)
+	clus := integration.NewCluster(t, &integration.ClusterConfig{Size: 1, AuthTokenTTL: 3})
+	defer clus.Terminate(t)
+
+	ctx, cancel := context.WithTimeout(context.TODO(), 10*time.Second)
+	defer cancel()
+
+	authSetupRoot(t, integration.ToGRPC(clus.Client(0)).Auth)
+
+	c, cerr := integration.NewClient(t, clientv3.Config{Endpoints: clus.Client(0).Endpoints(), Username: "root", Password: "123"})
+	if cerr != nil {
+		t.Fatal(cerr)
+	}
+	defer c.Close()
+
+	_, err := c.Put(ctx, "key", "val")
+	if err != nil {
+		t.Fatalf("Unexpected error from Put: %v", err)
+	}
+
+	// The first watch gets a valid auth token through watcher.newWatcherGrpcStream()
+	// We should discard the first one by waiting TTL after the first watch.
+	wChan := c.Watch(ctx, "key", clientv3.WithRev(1))
+	watchResponse := <-wChan
+
+	time.Sleep(5 * time.Second)
+
+	wChan = c.Watch(ctx, "key", clientv3.WithRev(1))
+	watchResponse = <-wChan
+	testutil.AssertNil(t, watchResponse.Err())
+}