If a CircleCI Personal API Token (PAT) that was working until recently has started failing API calls with HTTP 401 Unauthorized, the most likely cause is that the token has reached its expiration date.
How to rotate an expired token
Follow the steps in Managing API tokens:
- Delete the expired token from User Settings → Personal API Tokens.
- Create a new token. You will be required to set an expiration date with a maximum of 1 year.
- Update any consumers that reference the old token (CI configs, scripts, Terraform, etc.).
Why this happens now
Per the CircleCI Changelog, CircleCI recently made expiration dates mandatory on newly created Personal API Tokens, with a maximum validity of 1 year. The reason given is that long-lived tokens that never expire are a security risk, and requiring expiration encourages regular credential rotation.
Existing PATs created before this change are not affected and continue to work as before. The change applies to any token created after the rollout, which means tokens you create going forward will eventually need to be rotated.
Comments
Article is closed for comments.