diff --git a/tokencache/cache_token_source.go b/tokencache/cache_token_source.go
index 00f0642..6e9ec94 100644
--- a/tokencache/cache_token_source.go
+++ b/tokencache/cache_token_source.go
@@ -3,10 +3,15 @@ package tokencache
 import (
 	"context"
 	"fmt"
+	"time"
 
 	"github.com/pardot/oidc"
 )
 
+const (
+	tokenExpirationGracePeriod = time.Duration(30 * time.Second)
+)
+
 type cachingTokenSource struct {
 	src   oidc.TokenSource
 	cache CredentialCache
@@ -87,7 +92,7 @@ func (c *cachingTokenSource) Token(ctx context.Context) (*oidc.Token, error) {
 	}
 
 	var newToken *oidc.Token
-	if token != nil && token.Valid() {
+	if token != nil && token.Valid() && !tokenWithinGracePeriod(token) {
 		return token, nil
 	} else if token != nil && token.RefreshToken != "" {
 		// we have an expired token, try and refresh if we can.
@@ -114,3 +119,8 @@ func (c *cachingTokenSource) Token(ctx context.Context) (*oidc.Token, error) {
 
 	return newToken, nil
 }
+
+func tokenWithinGracePeriod(token *oidc.Token) bool {
+	gracePeriodStart := token.Claims.Expiry.Time().Add(-tokenExpirationGracePeriod)
+	return gracePeriodStart.Before(time.Now()) && token.Valid()
+}