Managing API Tokens

Disabling:  We recommend that you configure your Security settings to automatically disable tokens that have no recent activity within the past 365 days. To configure this, see Disabled Unused Tokens. To perform this action manually, see Disabling API Tokens.

Deleting: We recommend that you delete tokens no longer used. To perform this action manually, see Disabling API Tokens.

Rotating: We recommend proactively rotating API tokens at least yearly (every 365 days). For high-level steps on how to do so, see the below:

• Generate a new API token. This token will be used for authenticating API requests made on behalf of this user.
• Update any existing systems or scripts that use the previous API token with the newly generated API token. This ensures that future API requests are authenticated using the new token.
• Once you have confirmed that the new API token is being used successfully and there are no issues with the transition, disable the previous API token to prevent any unauthorized access.
• After sufficient time has passed and you have confirmed the previous API token is no longer in use, delete the token from the system to remove any potential security risks associated with its existence.

To determine API token activity, the following can be used:

• Examining information in the Last Used and Last IP columns under Settings > Users and Roles > LMv1 API Tokens | Bearer Tokens 

For related event details, see Audit Logs.