It stays there forever, but:
- The user is created when the request is sent out, but is disabled.
- By default that user is created and the clock is ticking on that user account when the request is sent.
- If the user only has a lifetime of 1 day, the user will expire, whether approved or not, and it does not matter if the link is clicked to enable that user.
Long story short, is it not the request that is important; it is the user creation.