Personal Access Token Lifecycle APIs now publicly available

Angel Wong

Since releasing our Personal Access Token (PAT) Lifecycle Management APIs in private preview last month, we’ve received overwhelming interest from folks who are looking for a more robust alternative to the existing UI for creating and managing their PATs.

This API will be of great interest to organizations who are looking to strengthen their security posture and reduce risk against potential attackers through frequent PAT rotation. Given how powerful PATs can be and the access they can grant to your Azure DevOps resources, it is good practice to rotate your PATs on a regular basis. Since PATs have an expiration date set at time of creation, it’s even more critical to rotate PATs to ensure applications that are reliant on them keep running smoothly.

Many private preview participants have been able to leverage these APIs to set up automated pipelines for rotating soon-to-be-expired PAT tokens being used within their apps. Gone are the days of manual rotation for yours PATs every few months, phew!

We are happy to announce that these APIs are now available to the general audience. To learn how to use these APIs, we’ve provided new public documentation on:

  1. how to authenticate API calls with a valid AAD token,
  2. what methods are available in the API Reference,
  3. and a sample application you can use to see how the API is being used.

To learn more about the API and commonly asked questions, like “Why do we need to authenticate with an AAD token”, check out the FAQ section in the documentation.

We know that this has been a highly requested feature by you and your teams, so we’re happy to deliver this new tool to help alleviate PAT maintenance overload and allow your teams to focus on other work that matters.

To share any feedback you have on how you’ve been using the API or how it can be improved, please don’t hesitate to comment on the blog post below or share it with the Developer Community.