Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

API Token expiration

John Churchill
John Churchill March 24, 2025

Why do the API tokens need to expire as long as they are being used. If I set this token up and am actively using it, what is going to happen when it expires, my application will just break (that'd be my assumption). That seems ridiculous.

Answer
Watch
Like Be the first to like this
114 views

2 answers

5 votes
Mathew Lederman
Mathew Lederman
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 24, 2025

@John Churchill from an InfoSec perspective it seems ridiculous that tokens were ever able to not expire. It's standard practice to renew any connectivity method on a regular basis. Like your password should change every 90-180 days, even though it's actively in use, for security purposes. 

Additionally, the expiration helps admins to get rid of unused connections without much additional work. The instance that I manage (~5000 active users) has 270 API tokens. For me to keep up with 270 tokens is absurd, but having them auto-expire leaves the company less vulnerable and gives 270 people 1 thing to do (that takes ~5 minutes if coded properly) once/year.

View More Comments
John Churchill
John Churchill March 24, 2025

Maybe I haven't thought it through yet but I was planning to automate upstream which means that these automations would break. A manual process to update a token that is in use is NOT a good idea. If it cannot be automated, then I agree, it should expire. I'm used to tokens that evaluate whether or not they are in use but maybe I don't understand where these can be used.

Like
Mathew Lederman
Mathew Lederman
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 24, 2025

See, in my opinion a manual process to update the token is the only functional method. Otherwise you have automated processes that run for years without ever being used.

The manual intervention requires somebody to confirm the process is still active and actually used. It should come with a 2+ week reminder to the token owner and daily reminders subsequent. This also ensures that API owners remain current.

Like Sunny Ape likes this
Reply
1 vote
Bharat Kalia
Bharat Kalia
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 24, 2025

Hey @John Churchill - Welcome to the Atlassian community. This seems debatable but if you ask my opinion I think token expiration gives more control to admins and it also adds a security layer on top of it.

Please see the article below - Token Expiration 

 

Thanks,

Bharat 

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
PREMIUM
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.