We’ve made a change to how Personal API Tokens (PATs) work on CircleCI. All newly created Personal API Tokens are required to have an expiration date, with a maximum validity of 1 year.
What changed
When creating a new Personal API Token, you will now be required to set an expiration date. Tokens can be valid for up to 1 year from the date of creation.
What hasn’t changed
This change only applies to new tokens. Existing Personal API Tokens created before today are not affected and will continue to work as before.
Why we made this change
Long-lived tokens that never expire are a security risk. Requiring an expiration date limits the damage if a token is ever compromised and encourages regular credential rotation as a security best practice.
What you need to do
When creating new Personal API Tokens, you’ll need to specify an expiration date (max 1 year). We recommend reviewing your existing tokens and planning to rotate them with expiry dates set as part of your regular security practices.