diff --git a/packages/aws-cdk/lib/api/aws-auth/provider-caching.ts b/packages/aws-cdk/lib/api/aws-auth/provider-caching.ts
index 0fe68a1a637c6..22e4b357e191d 100644
--- a/packages/aws-cdk/lib/api/aws-auth/provider-caching.ts
+++ b/packages/aws-cdk/lib/api/aws-auth/provider-caching.ts
@@ -20,5 +20,5 @@ export function makeCachingProvider(provider: AwsCredentialIdentityProvider): Aw
 
 export function credentialsAboutToExpire(token: AwsCredentialIdentity) {
   const expiryMarginSecs = 5;
-  return token.expiration !== undefined && token.expiration.getTime() - Date.now() < expiryMarginSecs * 1000;
+  return !!token.expiration && token.expiration.getTime() - Date.now() < expiryMarginSecs * 1000;
 }
diff --git a/packages/aws-cdk/test/api/plugin/credential-plugin.test.ts b/packages/aws-cdk/test/api/plugin/credential-plugin.test.ts
index 77fc97731e58d..af5f6012ed09d 100644
--- a/packages/aws-cdk/test/api/plugin/credential-plugin.test.ts
+++ b/packages/aws-cdk/test/api/plugin/credential-plugin.test.ts
@@ -1,4 +1,5 @@
 import { CredentialPlugins } from '../../../lib/api/aws-auth/credential-plugins';
+import { credentialsAboutToExpire } from '../../../lib/api/aws-auth/provider-caching';
 import { CredentialProviderSource, Mode, SDKv3CompatibleCredentials } from '../../../lib/api/plugin/credential-provider-source';
 import { PluginHost, markTesting } from '../../../lib/api/plugin/plugin';
 
@@ -134,6 +135,15 @@ test('plugin must not return something that is not a credential', async () => {
   await expect(fetchNow()).rejects.toThrow(/Plugin returned a value that/);
 });
 
+test('token expiration is allowed to be null', () => {
+  expect(credentialsAboutToExpire({
+    accessKeyId: 'key',
+    secretAccessKey: 'secret',
+    // This is not allowed according to the `.d.ts` contract, but it can happen in reality
+    expiration: null as any,
+  })).toEqual(false);
+});
+
 function mockCredentialFunction(p: CredentialProviderSource['getProvider']) {
   mockCredentialPlugin({
     name: 'test',