20 Feb 2024 06:45 PM - last edited on 07 Mar 2024 08:58 AM by Michal_Gebacki
In order to maintain strict control over tokens we typically attach an expiration date where applicable now that we are in the DPS model. So we had a team who requested a PaaS token permission set, we put it to expire at the end of January. The team has since then requested an extension which has been granted. Yes, you cannot edit/alter token access after they are formulated. So I wont be able to extend the expiry date, which is fine. But what I can do is clone the token and provide a new one with another month window.
This is where things get odd.... Dynatrace doesn't mention in any documentation that I found that it will auto delete token after it expires for x amount of days.
Here is the original token:
2 weeks after the expiry the team requested a token extension. To which I tossed in the Token ID but it was no where to be found in the system. Which prompted me to pull the audit log where we find this:
Notice the Token worker has deleted the 'Expired' token on the 4th of February.
Now I'm all for keeping a clean environment, but this caught me off guard. The token expired on Jan. 27th and was auto deleted on Feb 4th, 6 days later.
It could have been a fluke... so we created a test one called "Poof - The Magic Token" by Wednesday/Thursday we will see if the system deleted the token. Its already marked as expired:
Please let me know what you may have run into with this as well.
Solved! Go to Solution.
20 Feb 2024 11:40 PM
When a token expires, it ceases to function, meaning attempts to use it for authentication will result in a 401 error. Despite this, the token remains visible in the UI and is accessible through the token API endpoints (/api/v1/tokens/<ID> or /api/v2/apiTokens/<ID>). Seven days after its expiration, the token is automatically deleted, at which point it will no longer appear in the UI, and the token API will return a 404 error for that specific token ID.
It's also worth noting that a token's status can be changed to disabled, either via the API or by altering the "Enabled" toggle within the token UI.