feat(cli)!: expire tokens by default by johnstcn · Pull Request #21783 · coder/coder
This adds a new `coder tokens expire` command that allows admins/owners
to immediately expire a token by ID. Unlike `coder tokens rm` which
deletes the token entirely, this preserves the token record for audit
trail purposes.
This is useful during incident response when a token needs to be
urgently revoked without direct database access.
The implementation includes:
- New API endpoint: PUT /api/v2/users/{user}/keys/{keyid}/expire
- New SDK method: ExpireAPIKey
- New CLI command: coder tokens expire <name|id|token>
- Audit logging for the expire action
Closes #21782
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
johnstcn
marked this pull request as ready for review
johnstcn
marked this pull request as ready for review
This changes the default behavior of `coder tokens remove` to expire
tokens instead of deleting them, preserving the audit trail. Use
`--delete` to permanently delete a token.
Changes:
- Default behavior now expires tokens (preserves audit trail)
- Add `--delete` flag for permanent deletion
- Add `--include-expired` flag to `tokens ls` to show expired tokens
- Add PUT /users/{user}/keys/{keyid}/expire API endpoint
- Add ExpireAPIKey SDK method
Breaking change: Scripts using `coder tokens remove` will now expire
tokens instead of deleting them. Update to `coder tokens remove --delete`
for the previous behavior.
johnstcn
changed the title
feat(cli): add
feat(cli)!: expire tokens by defaultcoder tokens expire command
johnstcn
deleted the
feat/tokens-expire-command
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters