Extended/No Expiration Personal access tokens

Hi ​@shijia.me, thanks for reaching out! 

Our team is investing in security improvements to our API, so as a first step, we decided to remove the ability to create non-expiring personal access tokens.

Thanks for your reply.

Please provide alternatives instead of removing this feature.

Hi ​@djv!
Thank you for elaborating on the situation.

Could it be possible to have a more extended option? For example, 6 months? The maintenance of updating pipelines and machines every 3 months (90 days) is too high for us. So a longer extended period for us would be great, but ideally a non-expired / yearly period would be a better option

Hey All, thanks for the additional feedback! 

We’ve updated this topic into a feature request, and we’ve passed this along to the team for future consideration.

While this isn’t on the team’s immediate pipeline, they will be monitoring this topic to collect feedback from the community. 

I value the limitation for security purposes — but:

As I already mentioned on X, I’d really appreciate it if this limitation could be extended or removed for read-only tokens.

Idea 1:
Adjust the restriction based on the file’s visibility status — e.g. whether it’s private, public, or something in between. Introducing a third state like “confidential” or “sensitive” could help better reflect the security context.

Idea 2:
Figma could implement an AI-based check to determine whether a token might pose a security risk, depending on its scope or the sensitivity of the data it grants access to.

Idea 3:
Log the usage of the token and allow users to monitor it — for example, by seeing which hosts or users are making requests. Similar to "known device" features on other platforms, users could then confirm, “yes, that’s me.”

Idea 3a:
Allow passing a label or tag as a second argument when registering the token, to help track its usage more easily.

Thanks for your feedback, ​@Robert Willemelis! 

I’ll pass this onto our team for their consideration.