SonarQube Enterprise Token Maximum Liftime is not customizable

Must-share information (formatted with Markdown):

  • SonarQube Enterprise
  • On-Premise deploy by local IT team.
  • Set token customized maximum lifetime in days (e.g. 180 days) according to doc: Generating and using tokens
  • There is only fixed lifetime choices (30 days, 90 days, 1 year, No expiration) list for token maximum lifetime setting. I cannot set token maximum lifetime to 180 days or other values not listed here.
    Is there any other way I can set 180 days for token maximum lifetime? Or is there any enhancement feature for customized token maximum lifetime in SonarQube roadmap?

Do not share screenshots of logs – share the text itself (bonus points for being well-formatted)!


Welcome to the community!

I’ve moved your topic to the Product Manager for a Day subcategory since the functionality doesn’t exist.

Could you share why you need to set an arbitrary lifetime?


Hi Ann,
Thanks for quick response.
This functionality is only provided in SonarQube Enterprise version according to doc: Generating and using tokens.
I’m just wondering why only list days options are available for set but no customized days values?
The motivation to set 180 days token expiration is to compliance with company security rules.


That’s correct. You can only set an expiration in Enterprise Edition.

I believe we provided the most common defaults. Could you explain why you need to set an arbitrary expiration?


Hi Ann,
According to our company security policy, we classified Sonar users as 2 types: Human user and service account (for API access automation).

  • Human user password & token must rotate after maximum 180 days.
  • Service account token must rotate after maximum 365 days (1 year).
    Both human user and service account user can create token from My Account → Security with maximum lifetime defined by Admin per Token maximum lifetime.
    We are expecting to set different token maximum lifetime to human user and service account for company security policy. However SonarQube cannot distinguish human user and service account, we can only set single global token maximum lifetime for all accounts. To compliance with security policy both for human user and service account, our Sonar Admin had to set token maximum lifetime to 90 days (since no separate setting available and 180 days compliance to both account type but 180 days is not available in current list).

Refresh sonar token ever 90 days is tedious and unnecessary. To decrease the maintenance effort, we would prefer 180 days token maximum lifetime both for human user and service account.
Arbitrary expiration is not mandatory if additional 180 days option is available.

1 Like

Hi James,

Welcome to the community!
Thank you for your insights on that topic.

Regarding the explanation you provide, I am wondering why you have to define 2 types of users?

And why the token maximum lifetime is different between the two?



This is from company security policy.

  • Human user is supposed to login Sonar WebUI and check report. Sometimes human user also create token for Sonar automation purpose.
  • Service account is intended to used for Sonar automation (e.g. CICD pipeline Sonar scan) with token. Service account is a team share account which belongs to team admin only.
    Company IT security policy requires human user rotate password/token at least every 180 days.
    For service account, the potential token leak risk is lower than human account, therefore security policy only requires rotation period every 365 days to save the maintenance effort (refresh token and re-config new token in CICD pipeline).

The different lifetime for different account type is defined by company security policy.
180 days lifetime complies with security policy for both human user (180 days) and service account (less than 365 days) .

1 Like

Hi @JamesFromSiemens,

Thanks for providing some explanation and for bringing this to our attention. We take your feedback into consideration. We will track the interest in this feature from now on.

1 Like

Hi, Alexander & Ann
Thanks very much for your understanding and support!
Looking forward that additional 180 days option for token maximum lifetime would be available in near coming SonarQube enterprise release soon. :handshake:


This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.