cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Token Expiry: after X days the token auto deletes

ChadTurner
DynaMight Legend
DynaMight Legend

In order to maintain strict control over tokens we typically attach an expiration date where applicable now that we are in the DPS model. So we had a team who requested a PaaS token permission set, we put it to expire at the end of January. The team has since then requested an extension which has been granted. Yes, you cannot edit/alter token access after they are formulated. So I wont be able to extend the expiry date, which is fine. But what I can do is clone the token and provide a new one with another month window. 

This is where things get odd.... Dynatrace doesn't mention in any documentation that I found that it will auto delete token after it expires for x amount of days. 

Here is the original token: 

ChadTurner_0-1708454234917.png

2 weeks after the expiry the team requested a token extension. To which I tossed in the Token ID but it was no where to be found in the system. Which prompted me to pull the audit log where we find this: 

ChadTurner_1-1708454367924.png

Notice the Token worker has deleted the 'Expired' token on the 4th of February. 

ChadTurner_2-1708454432318.png

Now I'm all for keeping a clean environment, but this caught me off guard. The token expired on Jan. 27th and was auto deleted on Feb 4th, 6 days later. 

It could have been a fluke... so we created a test one called "Poof - The Magic Token" by Wednesday/Thursday we will see if the system deleted the token. Its already marked as expired: 

ChadTurner_3-1708454626942.png

 

ChadTurner_4-1708454681934.png

 

Please let me know what you may have run into with this as well. 

 

 

 

-Chad
1 REPLY 1

JoseRomero
Dynatrace Advisor
Dynatrace Advisor

When a token expires, it ceases to function, meaning attempts to use it for authentication will result in a 401 error. Despite this, the token remains visible in the UI and is accessible through the token API endpoints (/api/v1/tokens/<ID> or /api/v2/apiTokens/<ID>). Seven days after its expiration, the token is automatically deleted, at which point it will no longer appear in the UI, and the token API will return a 404 error for that specific token ID.

It's also worth noting that a token's status can be changed to disabled, either via the API or by altering the "Enabled" toggle within the token UI.

Featured Posts