diff --git a/pkg/cache/memorycache/provider.go b/pkg/cache/memorycache/provider.go
index db340210b5..c51c6057d4 100644
--- a/pkg/cache/memorycache/provider.go
+++ b/pkg/cache/memorycache/provider.go
@@ -105,6 +105,12 @@ func (provider *provider) Set(ctx context.Context, orgID valuer.UUID, cacheKey s
 		return err
 	}
 
+	// To make sure ristretto does not go into no-op
+	if ttl < 0 {
+		provider.settings.Logger().WarnContext(ctx, "ttl is less than 0, setting it to 0")
+		ttl = 0
+	}
+
 	if cloneable, ok := data.(cachetypes.Cloneable); ok {
 		span.SetAttributes(attribute.Bool("memory.cloneable", true))
 		span.SetAttributes(attribute.Int64("memory.cost", 1))
diff --git a/pkg/tokenizer/config.go b/pkg/tokenizer/config.go
index 109f0fcb47..ffe7fac8e5 100644
--- a/pkg/tokenizer/config.go
+++ b/pkg/tokenizer/config.go
@@ -93,6 +93,16 @@ func newConfig() factory.Config {
 }
 
 func (c Config) Validate() error {
+	// Ensure that lifetime idle is not negative
+	if c.Lifetime.Idle < 0 {
+		return errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "lifetime::idle must not be negative")
+	}
+
+	// Ensure that lifetime max is not negative
+	if c.Lifetime.Max < 0 {
+		return errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "lifetime::max must not be negative")
+	}
+
 	// Ensure that rotation interval is smaller than lifetime idle
 	if c.Rotation.Interval >= c.Lifetime.Idle {
 		return errors.New(errors.TypeInvalidInput, errors.CodeInvalidInput, "rotation::interval must be smaller than lifetime::idle")
diff --git a/pkg/tokenizer/jwttokenizer/provider.go b/pkg/tokenizer/jwttokenizer/provider.go
index 73a3b29d4d..2e602d32f4 100644
--- a/pkg/tokenizer/jwttokenizer/provider.go
+++ b/pkg/tokenizer/jwttokenizer/provider.go
@@ -263,7 +263,7 @@ func (provider *provider) getOrSetIdentity(ctx context.Context, orgID, userID va
 		return nil, err
 	}
 
-	err = provider.cache.Set(ctx, orgID, identityCacheKey(identity.UserID), identity, -1)
+	err = provider.cache.Set(ctx, orgID, identityCacheKey(identity.UserID), identity, 0)
 	if err != nil {
 		provider.settings.Logger().ErrorContext(ctx, "failed to cache identity", "error", err)
 	}
diff --git a/pkg/tokenizer/opaquetokenizer/provider.go b/pkg/tokenizer/opaquetokenizer/provider.go
index 1ad7e9647e..73e04fc82e 100644
--- a/pkg/tokenizer/opaquetokenizer/provider.go
+++ b/pkg/tokenizer/opaquetokenizer/provider.go
@@ -410,7 +410,7 @@ func (provider *provider) setToken(ctx context.Context, token *authtypes.Token,
 }
 
 func (provider *provider) setIdentity(ctx context.Context, identity *authtypes.Identity) error {
-	err := provider.cache.Set(ctx, emptyOrgID, identityCacheKey(identity.UserID), identity, -1)
+	err := provider.cache.Set(ctx, emptyOrgID, identityCacheKey(identity.UserID), identity, 0)
 	if err != nil {
 		return err
 	}
@@ -434,7 +434,7 @@ func (provider *provider) getOrGetSetIdentity(ctx context.Context, userID valuer
 		return nil, err
 	}
 
-	err = provider.cache.Set(ctx, emptyOrgID, identityCacheKey(userID), identity, -1)
+	err = provider.cache.Set(ctx, emptyOrgID, identityCacheKey(userID), identity, 0)
 	if err != nil {
 		return nil, err
 	}