diff --git a/java/google/registry/proxy/ProxyModule.java b/java/google/registry/proxy/ProxyModule.java
index 9c6efbb29..6e8cd5bb2 100644
--- a/java/google/registry/proxy/ProxyModule.java
+++ b/java/google/registry/proxy/ProxyModule.java
@@ -29,6 +29,7 @@ import com.google.api.services.cloudkms.v1.model.DecryptRequest;
 import com.google.api.services.storage.Storage;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.Maps;
+import com.google.common.flogger.FluentLogger;
 import com.google.common.flogger.LoggerConfig;
 import com.google.monitoring.metrics.MetricReporter;
 import dagger.Component;
@@ -71,6 +72,8 @@ import javax.inject.Singleton;
 @Module
 public class ProxyModule {
 
+  private static final FluentLogger logger = FluentLogger.forEnclosingClass();
+
   @Parameter(names = "--whois", description = "Port for WHOIS")
   private Integer whoisPort;
 
@@ -130,6 +133,8 @@ public class ProxyModule {
       // Log source IP information if --log parameter is passed. This is considered PII and should
       // only be used in non-production environment for debugging purpose.
       LoggerConfig.getConfig(ProxyProtocolHandler.class).setLevel(Level.FINE);
+      // Log at debug level what is the refreshed access token.
+      LoggerConfig.getConfig(ProxyModule.class).setLevel(Level.FINE);
     }
   }
 
@@ -236,7 +241,10 @@ public class ProxyModule {
           } catch (IOException e) {
             throw new RuntimeException("Cannot refresh access token.", e);
           }
-          return credential.getAccessToken();
+          // TODO (jianglai): Remove access token refresh logging.
+          String token = credential.getAccessToken();
+          logger.atFine().log("Access token refreshed: %s", token);
+          return token;
         },
         config.accessTokenValidPeriodSeconds - config.accessTokenRefreshBeforeExpirySeconds,
         SECONDS);
diff --git a/java/google/registry/proxy/config/default-config.yaml b/java/google/registry/proxy/config/default-config.yaml
index 32fb6f9c1..893f1edeb 100644
--- a/java/google/registry/proxy/config/default-config.yaml
+++ b/java/google/registry/proxy/config/default-config.yaml
@@ -20,15 +20,17 @@ gcpScopes:
   # to authenticate.
   - https://www.googleapis.com/auth/userinfo.email
 
-# Access token is valid for 30 minutes.
+# Access token is valid for 10 minutes.
 #
 # Document says that the token should be good for 60 minutes, but in practice
 # we've run into problems with token becoming invalid before supposed expiration
-# time. 30 minutes seems to be a good compromise which guarantees token validity
-# without making many more API calls to the OAuth server.
+# time. This used to be set to 30 min but we still observe very rare occurrence
+# of INVALID_TOKEN response (not even EXPIRED_TOKEN, which is also a possible
+# response). Set it to 10 minutes so that the tokens can be refreshed more
+# frequently.
 # See also: Data store
 # (https://developers.google.com/api-client-library/java/google-api-java-client/oauth2#data_store).
-accessTokenValidPeriodSeconds: 1800
+accessTokenValidPeriodSeconds: 600
 
 # Access token is refreshed 1 minutes before expiry.
 #