- name: "Non-expiring access tokens" announcement_milestone: "15.4" announcement_date: "2022-09-22" removal_milestone: "16.0" removal_date: "2023-05-22" breaking_change: true reporter: hsutor body: | # Do not modify this line, instead modify the lines below. Access tokens that have no expiration date are valid indefinitely, which presents a security risk if the access token is divulged. Because access tokens that have an exipiration date are better, from GitLab 15.3 we [populate a default expiration date](https://gitlab.com/gitlab-org/gitlab/-/issues/348660). In GitLab 16.0, any [personal](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html), [project](https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html), or [group](https://docs.gitlab.com/ee/user/group/settings/group_access_tokens.html) access token that does not have an expiration date will automatically have an expiration date set at one year. We recommend giving your access tokens an expiration date in line with your company's security policies before the default is applied: - On GitLab.com during the 16.0 milestone. - On GitLab self-managed instances when they are upgraded to 16.0. stage: Manage tiers: [Free, Premium, Ultimate] issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/369122