Reading:
API Token Rotation

API Token Rotation

Matt Fellows

It is good security practice to continually rotate your credentials. We have several mechanisms to protect user accounts, including system accounts, roles and permissions to limit access and integrating with 3rd party identity providers such as Okta (SAML), Google or Github.

To continue this focus, we recently released support for setting API tokens to expire after a configurable amount of time to force rotations.

Configuring API Token Expiry

Configuring the expiration setting is allowed for administrators with the system_preference:manage:* permission. Simply head to Settings > Preferences and you will have the option to enable the expiry option and set the allowable lifetime:

API Tokens Preferences

The API token expiry date is calculated from the moment the token was created or last regenerated, and applies to both the read-only and read-write tokens.

The setting applies to all users - including System Accounts - so  be careful to ensure you rotate them for use in CI so that your builds don't start failing!

When an API token is due to expire, you will be presented with an in-application notice (the display of which is also configurable):

API Token is expiring

You will also see this information from within the API Tokens settings page:

Expired API Token

Available now

The API token expiration feature is available now, on all plans.

arrow-up icon