1. What is the nature and description of the request?

Currently, AAP does not allow OAuth/PAT token expiry values to be set shorter than the default expiry when creating or updating tokens via the API. This limitation prevents customers from implementing short-lived token and automated rotation workflows, which are a common security requirement in enterprise environments.

1. Why does the customer need this? (List the business requirements here)

The customer requires short-lived AAP API tokens (valid for hours, not years) and uses HashiCorp Vault as the centralized secret store.

Key aspects of the workflow:

AAP OAuth/PAT tokens are stored in HashiCorp Vault using the kv_v2 secrets engine
Vault does not provide a native secrets engine for AAP tokens
A scheduled rotation job:

Creates a new AAP token via the API
Updates the token value stored in Vault
Applications retrieve tokens dynamically from Vault

To ensure uninterrupted operation:

The new token must be immediately usable
The previous token must remain valid for a short overlap period, so in-flight processes do not fail

Example requirement:

Token expiry: 6 hours
Rotation interval: 4 hours

Token expiry cannot be reduced below the default value when using the AAP API
Expiry is effectively controlled by a global default, not at an individual token level

This forces customers to:
Use long-lived tokens
Accept increased security risk

1. How would you like to achieve this? (List the functional requirements here)
2. List any affected known dependencies: Doc, UI etc..
3. Github Link if any