diff --git a/cmd/cue/cmd/login.go b/cmd/cue/cmd/login.go
index 2d0a52903fb..1a8674bb451 100644
--- a/cmd/cue/cmd/login.go
+++ b/cmd/cue/cmd/login.go
@@ -19,6 +19,7 @@ import (
 	"fmt"
 	"net/http"
 	"os"
+	"time"
 
 	"github.com/spf13/cobra"
 	"golang.org/x/oauth2"
@@ -99,9 +100,11 @@ inside $CUE_CONFIG_DIR; see 'cue help environment'.
 
 			// For consistency, store timestamps in UTC.
 			tok.Expiry = tok.Expiry.UTC()
+			// OAuth2 measures expiry in seconds via the expires_in JSON wire format field,
+			// so any sub-second units add unnecessary verbosity.
+			tok.Expiry = tok.Expiry.Truncate(time.Second)
 
 			_, err = cueconfig.UpdateRegistryLogin(loginsPath, host.Name, tok)
-
 			if err != nil {
 				return fmt.Errorf("cannot store CUE registry logins: %v", err)
 			}
diff --git a/cmd/cue/cmd/testdata/script/login_immediate.txtar b/cmd/cue/cmd/testdata/script/login_immediate.txtar
index 170fd376f50..f32caade652 100644
--- a/cmd/cue/cmd/testdata/script/login_immediate.txtar
+++ b/cmd/cue/cmd/testdata/script/login_immediate.txtar
@@ -14,7 +14,7 @@ grep -count=1 '"access_token"' cueconfig/logins.json
 # Ensure the contents of the token look correct.
 grep -count=1 '"access_token": "secret-access-token"' cueconfig/logins.json
 grep -count=1 '"token_type": "Bearer"' cueconfig/logins.json
-# Timestamps are always stored in UTC.
-grep '"expiry": "20..-..-..T.*Z"' cueconfig/logins.json
+# Timestamps are always stored in UTC and truncated to seconds.
+grep '"expiry": "20..-..-..T..:..:..Z"' cueconfig/logins.json
 # oauthregistry does not give a refresh token, and we use encoding/json's omitempty.
 ! grep '"refresh_token"' cueconfig/logins.json