API Token Rotation
It is good security practice to continually rotate your credentials. We have several mechanisms to protect user accounts, including system accounts, roles and permissions to limit access and integrating with 3rd party identity providers such as Okta (SAML), Google or Github.
To continue this focus, we recently released support for setting API tokens to expire after a configurable amount of time to force rotations.
Configuring API Token Expiry
Configuring the expiration setting is allowed for administrators with the system_preference:manage:*
permission. Simply head to Settings > Preferences
and you will have the option to enable the expiry option and set the allowable lifetime:
The API token expiry date is calculated from the moment the token was created or last regenerated, and applies to both the read-only and read-write tokens.
The setting applies to all users - including System Accounts - so be careful to ensure you rotate them for use in CI so that your builds don't start failing!
When an API token is due to expire, you will be presented with an in-application notice (the display of which is also configurable):
You will also see this information from within the API Tokens settings page:
Available now
The API token expiration feature is available now, on all plans.