I followed an example of using node-oauth2-server, and it seems the example is non-compliant with OAuth2 standards.

pedroetb/node-oauth2-server-example#10

When I return the json of the token, I get accessTokenExpiresAt instead of the expected expires_in

From https://www.oauth.com/oauth2-servers/access-tokens/access-token-response/

* expires_in (recommended) If the access token expires, the server should reply with the duration of time the access token is granted for.

So it's recommended to be this but not a hard requirement, so this doesn't make it non compliant.

Secondly, though might not be the best thing you'd want, when you get the token just modify wherever you return it from, you don't have to return token itself, you can do whatever you please with it.

const expires_in = token.accessTokenExpiresAt;
delete token.accessTokenExpiresAt;
return {...token, expires_in}

I suppose it isn't non compliant when it comes to handling the access token itself. I would suggest that the expiration time be shared in a compliant way. It was confusing to have the time values included, but then not have them be recognized in the client.

Actually... expiresAt is the time when it is expiring. So you need actually to subtract the current time from the expiresAt to get expires_in.