Personal Access Token Lifecycle APIs now publicly available

Angel

Since releasing our Personal Access Token (PAT) Lifecycle Management APIs in private preview last month, we’ve received overwhelming interest from folks who are looking for a more robust alternative to the existing UI for creating and managing their PATs.

This API will be of great interest to organizations who are looking to strengthen their security posture and reduce risk against potential attackers through frequent PAT rotation. Given how powerful PATs can be and the access they can grant to your Azure DevOps resources, it is good practice to rotate your PATs on a regular basis. Since PATs have an expiration date set at time of creation, it’s even more critical to rotate PATs to ensure applications that are reliant on them keep running smoothly.

Many private preview participants have been able to leverage these APIs to set up automated pipelines for rotating soon-to-be-expired PAT tokens being used within their apps. Gone are the days of manual rotation for yours PATs every few months, phew!

We are happy to announce that these APIs are now available to the general audience. To learn how to use these APIs, we’ve provided new public documentation on:

  1. how to authenticate API calls with a valid AAD token,
  2. what methods are available in the API Reference,
  3. and a sample application you can use to see how the API is being used.

To learn more about the API and commonly asked questions, like “Why do we need to authenticate with an AAD token”, check out the FAQ section in the documentation.

We know that this has been a highly requested feature by you and your teams, so we’re happy to deliver this new tool to help alleviate PAT maintenance overload and allow your teams to focus on other work that matters.

To share any feedback you have on how you’ve been using the API or how it can be improved, please don’t hesitate to comment on the blog post below or share it with the Developer Community.

8 comments

Comments are closed. Login to edit/delete your existing comments

  • Andre Wanlin

    Hi Angel, this is great news. Any ideas on the timeline for this getting into Azure DevOps Server for on-premise people?

    Also, it’s not clear to me from reading the documentation but will we be able to get a list of all the PATs along with the user they belong to? One of the biggest issues we have is there is no way to get a notification when a PAT is about to expire or has expired. If the API can give us this information we can build something for this as well as implement some renewal automation as needed

    Thanks for keeping us updated on this work!!!

    • Angel WongMicrosoft employee

      Happy to hear that Andre! At the moment there is no support for Azure DevOps Server, but we have this noted in our backlog as a requested feature.

      This API will allow a user to get a list of all the PATs they own and the associated PAT metadata, which should include expiration date. For organization admins who are interested in seeing PATs that their users own, you can check out the tokenadmin API. Cheers!

      • Andre Wanlin

        Thanks for following up Angel, appreciate it.

        I’ll take a look at the tokenadmin API, seems it should work for Azure DevOps Server 2020, not sure how I missed that

        Thanks again! 🙂

  • Kyle Cherewyk

    Hi Angel,
    I am trying to use these new token APIs to build out a simple script to update our token expiry time. But when I try to use the list token endpoint after I pass in my Azure DevOps PAT with token management permissions into the header. I get this 403 consistently:

    {
        "$id": "1",
        "innerException": null,
        "message": "The requested operation is not allowed.",
        "typeName": "Microsoft.TeamFoundation.Framework.Server.InvalidAccessException, Microsoft.TeamFoundation.Framework.Server",
        "typeKey": "InvalidAccessException",
        "errorCode": 0,
        "eventId": 3000
    }

    I have tried to update my token permissions and even my project permissions. Is there some background permissions issue that I have yet to discover?