System Admins can now set expiration times for API access tokens within their plan, allowing your plan to enhance internal security protocols. This feature applies to user access tokens and OAuth2.0 tokens.
System Admins can activate this feature in the Admin Center.
About expiration times
Once a System Admin sets expiration times, all existing and future tokens within the plan adhere to this duration and are automatically revoked upon expiration. However, if you don’t set an expiration time for your tokens, they remain active indefinitely unless a System Admin manually revokes them.
For security reasons, keep in mind that short durations can disrupt workflows, while long durations may pose security risks as tokens may get compromised.
Best practice for existing tokens
To avoid breaking solutions when turning on access token expiration times, System Admins should inform all users that they might need to generate new tokens to avoid interruptions to automations.
Users receive an automated email notification seven days in advance for tokens approaching expiration. However, they can always verify the expiration date of their current API access tokens by navigating to Account > Personal Settings… and then selecting the API Access tab.
To configure the expiration time for access tokens
- Go to Admin Center > Security & Control.
- Navigate to the API Access Token tile.
- Slide the Expiration period toggle to enable the feature. You can set the duration by:
- Minutes
- Hours
- Days
- Months
- Years
- Select Activate.
When to reach out for help
Contact Smartsheet Support if:
- A System Admin faces issues or errors while trying to set the token expiration duration.
- Tokens don't expire according to the set duration or expire despite not reaching the defined threshold.
Notes
- The expiration duration is set at the Smartsheet plan level, not the domain level. Tokens generated under different plans require separate configurations.
- The expiration time for tokens generated before the setup is calculated from the original token generation date, not from the date the System Admin set the configuration. This might cause some tokens to expire sooner than expected.
- You can’t assign individualized or role-based expiration dates, as this is a general setting for all tokens under the specified plan.
External systems that rely on these tokens must comply with the new expiration durations once set by the System Admin of the plan. Note that once a token expires, all token operations stop instantly.
Why did my token expire earlier than the duration set?
This could be due to a manual revocation or your plan's System Admin changed the token expiration duration at the plan level.
Can I set different expiration durations for different user roles or departments?
No. Currently, the expiration duration is uniform across all roles within a plan.
Can I modify the expiration date of a token nearing its expiration?
No. Once set, the expiration duration is fixed. You'd need to refresh (for OAuth2.0 tokens) or generate a new token. To learn more, see Generate an API key.