Goal:

Implement default expiration for personal access tokens to enhance security by preventing forgotten tokens from becoming long-term security risks. Users will benefit from security-by-default protection while maintaining the flexibility to set custom expiration dates when needed, aligning with current security standards for tokens and certificates.

Acceptance Criteria:

• Personal access tokens created without explicit expiration receive a configurable default expiration (30, 60, or 90 days)
• Users can override the default with custom expiration dates during token creation
• UI clearly displays token expiration status and remaining time
• API validates and enforces expiration rules for all new tokens
• Existing tokens without expiration are handled appropriately (migration strategy defined)
• Security audit trail captures token creation and expiration events

Open questions:

• What should be the default expiration period (30, 60, or 90 days)?
• How should existing tokens without expiration be handled during migration?
• Should administrators be able to configure organization-wide default policies?
• Are there integration impacts with MCP server token usage mentioned in comments?