Token Expiry & Rotation
How Protecto API token lifetimes work and best practices for rotating tokens safely.
Token lifetime
API tokens have a defined lifetime. When a token expires:
- Requests fail immediately with authentication errors
- No partial processing occurs
- The token must be replaced with a new one
Protecto does not automatically refresh tokens.
Token rotation best practices
Use separate tokens per environment
Never share a token between development, staging, and production. Separate tokens limit blast radius if one is compromised.
Store tokens in a secrets manager
Store tokens in a secure secrets manager (e.g., AWS Secrets Manager, HashiCorp Vault, or GCP Secret Manager) rather than in environment files or source code.
Rotate tokens on a schedule
Establish a regular rotation cadence. Token rotation does not require any changes to your API requests beyond updating the header value.
Use separate tokens per service
Avoid sharing tokens across multiple services. Separate tokens allow you to revoke access for one service without affecting others.
Revoking a compromised token
If you suspect a token has been exposed:
- Revoke the token immediately via the Protecto portal or Super Admin API
- Issue a new token
- Update all affected services with the new token
Revoked tokens fail authentication immediately — no grace period applies.
If a token is exposed in a public repository or logs, treat it as compromised and rotate it immediately.
Last updated 3 weeks ago
Built with Documentation.AI