Skip to main content
โ† All controls
IA-5(7) / A.9.4.3 / CIS-5.3 NIST SP 800-63B

Token expiry / rotation policy

Demonstrate that all authentication tokens are subject to enforced expiration periods and automated rotation mechanisms that invalidate old tokens upon renewal.

Description

What this control does

Token expiry and rotation policies enforce automatic invalidation of authentication tokens (API keys, OAuth tokens, session tokens, service account credentials) after a defined time period or usage threshold. This control mandates maximum lifetimes for tokens, forces periodic regeneration, and ensures old tokens are revoked upon rotation. It reduces the window of opportunity for attackers exploiting compromised credentials by limiting token validity and ensuring stale credentials cannot be reused indefinitely.

Control objective

What auditing this proves

Demonstrate that all authentication tokens are subject to enforced expiration periods and automated rotation mechanisms that invalidate old tokens upon renewal.

Associated risks

Risks this control addresses

  • Compromised API keys or access tokens remain valid indefinitely, allowing sustained unauthorized access after initial breach
  • Stolen session tokens enable prolonged session hijacking attacks beyond the initial compromise timeframe
  • Service account credentials leaked through code repositories or logs provide permanent backdoor access
  • Insider threats retain access through retained or duplicated tokens after legitimate access period ends
  • Lack of credential rotation allows dormant compromised tokens to be weaponized months or years after initial exposure
  • OAuth refresh tokens without expiry enable persistent unauthorized API access even after user password changes
  • Long-lived tokens increase blast radius of supply chain attacks where dependencies harvest and exfiltrate credentials

Testing procedure

How an auditor verifies this control

  1. Inventory all token types in use across the environment (API keys, OAuth access/refresh tokens, JWT tokens, session cookies, service account keys, personal access tokens, database credentials).
  2. Review identity and access management system configurations to identify maximum token lifetime settings for each token type.
  3. Extract and document configured expiration policies including maximum lifetimes, inactivity timeouts, and rotation schedules from IAM, API gateway, and authentication service configuration files.
  4. Select a representative sample of 10-15 active tokens across different types and privilege levels for testing.
  5. Generate new test tokens for each sampled type and record their creation timestamps and stated expiration times.
  6. Monitor sampled tokens through their lifecycle to verify automatic expiration occurs at or before the configured maximum lifetime.
  7. Attempt to use expired tokens to access protected resources and verify they are rejected with appropriate authentication failures.
  8. Review audit logs for evidence of token rotation events, including creation of new tokens and revocation of predecessor tokens, ensuring old tokens are invalidated upon rotation.
Evidence required Configuration exports from identity providers, API gateways, and authentication services showing token lifetime parameters and rotation schedules. Audit logs demonstrating token issuance, expiration events, and failed authentication attempts using expired tokens. Screenshots or configuration files documenting maximum token lifetimes for each token type in use.
Pass criteria All token types have documented maximum lifetimes not exceeding industry best practices (typically 1 hour for access tokens, 7 days for refresh tokens, 90 days for API keys), expiration mechanisms are enforced automatically, and testing confirms expired tokens are rejected by protected resources.

Where this control is tested

Audit programs including this control

API Token & Secrets Audit

Leaked API tokens are a top breach vector. Check inventory, scoping, storage and rotation of personal access tokens…

6 controls ยท v1.0