Each time a user signs in to Managed Service for TimescaleDB (MST) either via the portal or direct REST API call, the server creates a new authentication token associated with the user. These tokens are set to expire after 30 days (subject to change) but the expiry date is adjusted whenever the token is used so the token may remain valid practically indefinitely if it is used frequently enough.

The user account page in the MST console lists all currently valid tokens as shown in the image below. This page can be used to revoke individual tokens, revoke all current tokens, and generate new tokens. The new tokens generated via this page can be given a description, maximum age (possibly indefinite), and their extension policy can be set (extend when used or not). These explicitly created tokens could be used e.g. by some monitoring application that makes automatic calls to the MST REST API.

The REST API, which the web console relies on, naturally supports these API operations as well.

Performing operations that affect current authentication settings, such as enabling two factor authentication or resetting password, immediately revoke all existing tokens. In some cases a new token is immediately created so that web console session remains valid even though the previously used token was revoked.

Token counts

The system has hard limits for how many valid authentication tokens are allowed per user. This limit is different for tokens that are created as a result of sign in operation and for tokens created explicitly; the limit for explicitly created tokens is small but the system never invalidates the tokens unless they expire or they are explicitly revoked. For automatically created tokens the limit is higher but when the limit is reached the system automatically deletes tokens that have been used least recently to avoid going above the limit.

This behavior for automatically created tokens can result in a token that hasn’t expired nor been explicitly revoked to stop working. To avoid running into problems with this behavior you should always make sure you sign out after sign in instead of just discarding your authentication token. This is mostly relevant for automation which automatically signs in. The MST web console automatically revokes current token when signing out.

Note about old authentication tokens

The sign in API call used to hand out tokens that were not explicitly tracked and couldn’t be individually revoked. These old tokens remain valid and become automatically tracked whenever they’re used so that they can be revoked. If the tokens have not been used they will not appear in the list of currently valid tokens though they will still work if used unless the revoke all action is used. These tokens, if used, also count towards maximum token quota.

Known limitations

Managed Service for TimescaleDB currently only supports authentication tokens that are associated with regular MST user accounts and that have the same access level as the user who created the token. 

Did this answer your question?