Skip to content

Allow admins and owners to make PAT expiration enforcement optional

Problem to solve

In 12.6 we introduced a PAT expiration setting that automatically revokes tokens when the expiration date has been met or exceeded. This creates friction for users and doesn't provide flexibility in building smoother user experiences around credential rotation.

Currently, the programmatic enforcement of this expiration setting is unchangeable and there's no way to allow for "soft" enforcement to avoid disruption for users.

Intended users

Further details

Proposal

Provide a checkbox that allows the administrator or owner to specify "optional enforcement" of PAT expiration.

If enabled, the behavior remains unchanged and PATs are automatically revoked when the date is met or exceeded.

If disabled, GitLab will continue to notify the user via email, CLI, and/or in-app messaging about the expired credential, but will not automatically invalidate it.

clip-2020-06-01

If a user's token is 7-days from expiring, we should display an in-app message to the user that says:

One or more of your personal access tokens will expire soon. Update Now

If a user's token has expired, we should display:

One or more of your personal access tokens has expired. Update Now

This message should probably persist until they dismiss it or take action.

Permissions and Security

Only administrators (for self-managed) and Group Owners (for GitLab.com) can modify this setting.

Documentation

Availability & Testing

What does success look like, and how can we measure that?

What is the type of buyer?

Is this a cross-stage feature?

Links / references

Edited by Dan Jensen