Rotating access tokens
Best practices for managing and rotating FOSSA access tokens securely.
Overview
Access tokens provide programmatic access to FOSSA. Like passwords, they should be stored securely and rotated periodically.
Use a service account
Create a dedicated service account with minimal permissions for automation, rather than using a personal account. A typical minimal set is Create projects, Edit projects, and View projects. See Roles and permissions for how to scope access.
Choose the right token type
| Token type | Use it for |
|---|---|
| Push-Only | CLI and CI integrations that only push analysis results. |
| Full | Read APIs and management tasks that need account-level access. |
See Authentication for more on token types.
Rotation procedure
- 1
Generate a new token
Create a new token for the service account.
- 2
Update your integrations
Point your integrations and stored secrets at the new token.
- 3
Verify
Confirm the integrations work with the new token.
- 4
Revoke the old token
Once everything is confirmed, revoke the previous token.
Security considerations
- Store tokens in a secrets manager (AWS Secrets Manager, HashiCorp Vault, Azure Key Vault).
- Rotate tokens regularly; every 80–180 days is a reasonable cadence.
- Monitor token usage and revoke unused tokens.