SonarQube Tokens expiration

Hi Team ,
We do not have an option to set an expiration duration/date for user tokens. Do you have a plan of implementing any such feature in the future ? Can you please let me know some information around this, our security team raised this question.

Hello,

This feature is not directly “bundled” into SonarQube, and there is nothing in the roadmap which would indicate this will implemented anytime soon.

Mainly this is because we believe this feature can be indirectly provided through the usage of Web API .
Indeed a script based on Web API would provide all the flexibility that our diverse users would expect from their token expiration policy
Basic usage from Web API is about

  • listing the tokens ( GET api/user_tokens/search)
  • revoking them under some of your local requirements ( POST api/user_tokens/revoke)
    and such script could possibly implement specific custom actions in between (like notifying users whose tokens are close to the expiration date , setting custom token duration according to the user profile, etc…)
    And since this is not a SonarQube feature, your security team could fully own/maintain such script when required

I hope this reply finds you well

Eric