diff --git a/src/mcplocal/src/serve.ts b/src/mcplocal/src/serve.ts
index 9aad665..c9ee651 100644
--- a/src/mcplocal/src/serve.ts
+++ b/src/mcplocal/src/serve.ts
@@ -67,9 +67,12 @@ export async function serve(): Promise<void> {
   const httpServer = await createHttpServer(httpConfig, { router, providerRegistry });
 
   // Auth preHandler: only protect the MCP surfaces. /health, /healthz, /proxymodels etc stay open.
-  // Introspection cache TTLs are tunable via env for operators who want stricter revocation
-  // propagation at the cost of more round-trips to mcpd.
-  const positiveTtlMs = Number(process.env.MCPLOCAL_TOKEN_POSITIVE_TTL_MS ?? '30000');
+  // Introspection cache TTLs are tunable via env for operators who want a different tradeoff.
+  // Default 5s for both: mcpd's introspection endpoint is a single DB lookup, so the cache
+  // mainly protects against burst restart storms — not steady-state load. A higher positive
+  // TTL means revoked tokens keep working for the full window after revocation; 5s aligns with
+  // the negativeTtl and matches mcptoken.smoke's 7s `wait after revoke` assertion.
+  const positiveTtlMs = Number(process.env.MCPLOCAL_TOKEN_POSITIVE_TTL_MS ?? '5000');
   const negativeTtlMs = Number(process.env.MCPLOCAL_TOKEN_NEGATIVE_TTL_MS ?? '5000');
   const tokenAuth = createTokenAuthMiddleware({ mcpdUrl, positiveTtlMs, negativeTtlMs });
   httpServer.addHook('preHandler', async (request, reply) => {