API tokens have an in-built expiry that cannot exceed 365 days from token creation, but what about the client ID/secret can issue from service accounts?
| Credential | Expiry |
|---|---|
| Service account API token | Expires between 1 and 365 days, default is one year. |
| Service account OAuth client ID/secret | No current built-in expiry; remains valid until revoked/rotated. |
| OAuth | expires_in: 3600, so integration should request a new access token when needed. |
Hi @Veli Akiner, no, the client ID/secret you get from a service account doesn't carry the 365-day cap that API tokens do. It has no built-in expiry and stays valid until you revoke or rotate it. The short-lived piece is the access token you mint from it: POST grant_type=client_credentials to https://auth.atlassian.com/oauth/token and the response comes back with expires_in 3600, so 60 minutes — when it lapses you just request another (documented in Atlassian's Create OAuth 2.0 credential for service accounts guide, https://support.atlassian.com/user-management/docs/create-oauth-2-0-credential-for-service-accounts/). Nothing on the credential itself has to be renewed on a schedule. Atlassian has an open request to add an optional expiry for these secrets, AX-1712 (Gathering Interest, https://jira.atlassian.com/browse/AX-1712), which confirms the current no-expiry behaviour. Rotation is on you, so revoke the old credential and create a fresh one whenever your security policy calls for it.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.