diff --git a/CHANGELOG.md b/CHANGELOG.md
index d22b6553..9de77e0b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,9 @@
 ### Breaking changes
 - Seacat Auth listens on ports 3081 and 8900 by default (#230, PLUM Sprint 230714)
 
+### Fix
+- Validate client session expiration (#237, PLUM Sprint 230714)
+
 ### Features
 - Seacat Auth listens on ports 3081 and 8900 by default (#230, PLUM Sprint 230714)
 
diff --git a/seacatauth/client/service.py b/seacatauth/client/service.py
index 01743eeb..69b18965 100644
--- a/seacatauth/client/service.py
+++ b/seacatauth/client/service.py
@@ -463,7 +463,11 @@ async def update(self, client_id: str, **kwargs):
 				upsertor.unset(k)
 			else:
 				if k == "session_expiration" and isinstance(v, str):
-					v = convert_to_seconds(v)
+					try:
+						v = convert_to_seconds(v)
+					except ValueError as e:
+						raise asab.exceptions.ValidationError(
+							"{!r} must be either a number or a duration string.".format(k)) from e
 				upsertor.set(k, v)
 
 		await upsertor.execute(event_type=EventTypes.CLIENT_UPDATED)