[Request for Feedback] Expiration policies and lifetime changes for PATs

[hpsin]

We've launched the ability to restrict PAT lifetimes if the PAT is going to be used against your organization or resource. As part of this change, we've also allowed fine-grained PATs to be created without an expiration.

The default policy for all orgs and enterprises retains the existing 366 day maximum for fine-grained PATs.

Please check out the changelog for more details, and let us know what you think!

Known issues

• Fixed: Editing a token was triggering a 404 page with an error message about the lifetime policy.

[mve]

I'm having some trouble creating a token without an expiration.

In the org i've unchecked "Fine-grained personal access tokens must expire".
Then on this page I'm trying to create a new fine-grained PAT. I've set the resource owner to the org but I don't see the option to have no expiration date. I only see 7 - 90 days and custom only goes to 1 year. The org is on the "free" plan and I am an owner of the org.

[hpsin]

Thanks! This should be fixed now, we had a feature flag stuck.

[mve]

Perfect, I see the option now! Thanks for this new feature. This was the main reason I was still using classic tokens for some use cases.

[HikaruEgashira]

I'm trying to enable this policy in the enterprise.

After enabling this option, if unexpected API call failures are discovered and the policy is temporarily disabled, will the call failures recur?

[hpsin]

No, if you disable the policy it'll stop blocking API calls. So you can "brownout" or "scream test" long lived tokens here by setting the token, checking your streaming logs, and then deciding if you want to roll back.

[hfhbd]

We would like to disable the classic PATs for our org, but unfortunately we need read Packages (maven) support only.

Is there any option to limit a classic PAT for an org to allow only specific scopes and disable all other scopes?

[hpsin]

Ah, no, I'm afraid not. The only option today would be to run a job that checks for tokens that don't match your allowlist and revoke their access to the organization, by removing their SSO credential authorization.