Back for more, y’all!
In the last post we talked about token lifespan. Today, let’s get practical: when should you actually use never-expiring tokens and when should you absolutely avoid them?
When to use never-expiring tokens:
-
Production backend services that must run continuously without human login cycles.
-
Automated pipelines or integrations that cannot tolerate token renewal lapses.
When NOT to use never-expiring tokens:
-
Client-side apps (browser/mobile) where tokens can be exposed.
-
Shared or semi-trusted environments (contractors, test machines).
-
Scenarios where frequent rotation is a security requirement.
Best practices:
-
Principle of least privilege: Set the narrowest necessary permissions (Full, Write only, Read only).
-
Store secrets securely: Use a secret manager or encrypted vault; never commit tokens to source control.
-
Plan rotation: Even for “never expires,” schedule periodic manual rotation and revoke old tokens.
-
Monitor usage: Track where tokens are used; revoke immediately if you suspect exposure.
How to manage tokens:
-
Create and manage Profile Tokens in your Account Details. You can define permissions and set the token to never expire if needed.
-
Remember: Auto-generated tokens (created on login) expire in 3 months by default.
Final thought and very important:
Never-expiring tokens are like a spare house key. Super convenient, buuuut you only give it to people you really trust.
Hope this tip helps our members build safer integrations!
Cheers,