As an Organization Owner user in an Identity Governance and Administration (IGA) activated Organization, you monitor the API tokens created in your Organization and set constraints for idle and maximum Time to live (TTL) for all newly created tokens.

To access the API Tokens dashboard, open the Cloud Services Console and navigate to Identity & Access Management > Governance > API Tokens. The dashboard that opens gives you a list of all API tokens created by users in your Organization.

For each API token, you can view details, such as token name, name of the Organization user who created the API token, creation and expiration dates, the date the token was last used, and the scopes of the token – the Organization roles assigned to the token.

The API Tokens dashboard list displays an alert icon (Alert icon) if the TTL policies for your Organization have been violated. The TTL policies set for your Organization apply to all new API tokens created by the users in your Organization. If you change a TTL policy, an alert icon will appear next to all previously created API tokens which are violating the new setting.

There are two TTL policy settings you can activate, deactivate or modify:
  • Idle Token TTL.

    This setting defines what is the allowed idle Time to live for an API token before it violates the policy.

  • Max Token TTL.

    This setting defines what is the maximum allowed Time to live for any API token created in your Organization. Organization users will not be able to generate API tokens with a Max Token TTL greater than the one defined by this setting.

What can I do if an API token violates any policy or guideline in the Organization

If an API token violates a TTL policy in your Organization or in any way looks suspicions to you, you can deactivate the token from the API Tokens dashboard. This way it cannot be used to access the resources in the Organization.
  1. On the API Tokens dashboard, select the API token you want to deactivate.
  2. Click the Deactivate link.

    The API token status changes from Activated to Deactivated. The owner of the API token receives an email notification from VMware Cloud Services that a token they've been using to access the Organization has been deactivated by an Organization Owner.

    To reactivate an API token that has been deactivated, select the API token on the dashboard, then click the Activate link. The owner of the API token receives an email notification confirming the reactivation.

How do I change the TTL policies for API tokens in my Organization

To modify the API tokens TTL policies, do the following:
  1. On the API Tokens dashboard, click Settings.
    To... Do this...
    Activate or deactivate a policy. Use the Policy status slider.
    Change a TTL setting Enter a new value in the respective TTL setting section and select a time unit from the drop-down list. The time unit can be minutes, hours, or days.
  2. Click Save.

Validation runs of existing tokens against the policies take place once in 24hours. This means it may take some time before the API Tokens dashboard list of violations gets updated as a result of the change you made.