max_signed_tokens_ttl setting, closes #1858

Also redesigned token format to include creation time and optional duration.
2025-12-10 16:51:24 +01:00 · 2022-10-26 14:13:31 -07:00 · 2022-10-26 14:13:31 -07:00 · 382a871583
commit 382a871583
parent af5d5d0243
6 changed files with 99 additions and 25 deletions
--- a/docs/settings.rst
+++ b/docs/settings.rst
@ -182,6 +182,21 @@ This is turned on by default. Use the following to turn it off::

 Turning this setting off will disable the ``/-/create-token`` page, :ref:`described here <CreateTokenView>`. It will also cause any incoming ``Authorization: Bearer dstok_...`` API tokens to be ignored.

+.. _setting_max_signed_tokens_ttl:
+
+max_signed_tokens_ttl
+~~~~~~~~~~~~~~~~~~~~~
+
+Maximum allowed expiry time for signed API tokens created by users.
+
+Defaults to ``0`` which means no limit - tokens can be created that will never expire.
+
+Set this to a value in seconds to limit the maximum expiry time. For example, to set that limit to 24 hours you would use::
+
+    datasette mydatabase.db --setting max_signed_tokens_ttl 86400
+
+This setting is enforced when incoming tokens are processed.
+
 .. _setting_default_cache_ttl:

 default_cache_ttl