Rotating access tokens

Best practices for managing and rotating FOSSA access tokens securely.

1 min readUpdated Jul 10, 2026

Overview

Access tokens provide programmatic access to FOSSA. Like passwords, they should be stored securely and rotated periodically.

Use a service account

Create a dedicated service account with minimal permissions for automation, rather than using a personal account. A typical minimal set is Create projects, Edit projects, and View projects. See Roles and permissions for how to scope access.

Choose the right token type

Token typeUse it for
Push-OnlyCLI and CI integrations that only push analysis results.
FullRead APIs and management tasks that need account-level access.

See Authentication for more on token types.

Rotation procedure

  1. 1

    Generate a new token

    Create a new token for the service account.

  2. 2

    Update your integrations

    Point your integrations and stored secrets at the new token.

  3. 3

    Verify

    Confirm the integrations work with the new token.

  4. 4

    Revoke the old token

    Once everything is confirmed, revoke the previous token.

Security considerations

  • Store tokens in a secrets manager (AWS Secrets Manager, HashiCorp Vault, Azure Key Vault).
  • Rotate tokens regularly; every 80–180 days is a reasonable cadence.
  • Monitor token usage and revoke unused tokens.
© 2026 FOSSA, Inc.support@fossa.com