API Token Expiration and Rotation
Skytap’s REST API is an important tool to help you automate some of the management tasks associated with running your application in the cloud. Until now, the security tokens you used for secure API access had an unlimited lifespan, and token expiration was a manual process. Skytap has just introduce an API token expiration policy that lets administrators enforce limited lifespans for tokens, as well as adding support for two tokens per user (to allow for smooth rollover when tokens expire).
You can enable the API token expiration policy from the Access policy tab of the Security policies page. Just check the Enable API token expiration checkbox, set the desired duration (1 to 365 days), and then click Save.
Skytap now supports two active API security tokens for each user. This helps ensure smooth transition to a new token as an existing token nears its expiration date. The expiration date is listed beside each token on the My Account page in Skytap, where users can also view, copy, add, and delete tokens as needed. When a token expires, it is automatically removed from the list.
We have further reduced the risk surface area for API tokens by removing the automatic creation of tokens for each new user. Now when a user is created, the new user must click Add token on the My Account page to generate an API token.
If a security token is compromised, and the owner isn’t able to delete it, any administrator can delete that user’s tokens from the Edit User page. When a token is deleted, it is immediately invalidated and that user must generate a new token for API access.
You can find more information about API tokens here.