It's configurable. If you go to the tenant details page, then to the Advanced tab, you'll see the setting there; it's called Authorization Code. It's also documented in the tenant API, search for tenant.externalIdentifierConfiguration.authorizationGrantIdTimeToLiveInSeconds here: https://fusionauth.io/docs/v1/tech/apis/tenants
Looks like valid durations are between 1 and 600 seconds.
This seems like a case for the client credentials grant, which is unfortunately still on the roadmap: https://github.com/FusionAuth/fusionauth-issues/issues/155 Not sure that would help with the rotation, though. Just like username and password approach, I don't believe the credentials grant lets you rotate creds in.
Other options: you could look into a third party api management solution (as mentioned here).
You can control the duration on an application by application basis (so all JWTs issued by one application have to have the same length). You could create a 'services' application that only these services would have registrations with, not sure if that would work.