API token removed

Hi Pedro and welcome to the Wrike Community! :)

The permanent token never expires. The exception is when you reset your password. I've checked your account and saw that you indeed reset your password recently, which is most likely the reason your access token has been revoked. Please let me know if you have any additional questions!

Hi Serge,

Thanks for your response, that makes sense.

Regards,

Pedro

Hi Serge, is that still the expected behaviour? Does it make sense to have a "permanent" token revoked each time you reset your password if the guideline is to reset passwords at least every 90days?

Is there any suggested way to get a permanent token by user without need to create a new token each time a password reset happens?

Regards
Patrick

Hi Patrick Güra! I'm checking this with the team now, we'll get back to you as soon as possible 👍

Lisa Community Team at Wrike Wrike Product Manager Become a Wrike expert with Wrike Discover

Lisa Wrike Team member Become a Wrike expert with Wrike Discover

Hi Patrick Güra,

That's correct, the permanent access token is invalidated upon the regular password change too. So, since the password expiration policy on your account is set to "Every 90 days", you'll need to generate a new token every 3 months. Wrike password expiration automatically triggers API token invalidation for the benefit of your data security, and we generally recommend to change token periodically to avoid any risk of its exposure.

The password policy settings apply to all users, and there's no option of excluding the user who generated the API token. There are two workarounds I have in mind that could help in your use-case:

1. Please discuss with your team if you still need the password expiration policy in place - the owner of your account can disable the password policies for everyone as described here: https://help.wrike.com/hc/en-us/articles/210324485-Advanced-Security-Settings#passwordexpiration
2. If you want to combine the high level of password security and prevent future invalidation of API tokens at the same time, please consider implementing SAML SSO for your account. Users will be able to sign in to Wrike using only company credentials. Since the password security will be managed on the IdP side, your Wrike Admin can switch the setting "Force reset user passwords" to "Never" and the token won't be revoked anymore.

Please let me know if you have any further questions🙂

Lisa K. Community Team at Wrike Wrike Product Manager Become a Wrike expert with Wrike Discover

Lisa K. Wrike Team member Become a Wrike expert with Wrike Discover

Hi Lisa K.

does this behavior also apply to OAuth2 apps - I couldn't find anything on the subject - do Client-ID and Client-Secret of API-Apps also get revoked after password resets?

Best regards,
Adrian

Hi Adrian Soluch, thanks for the question. Resetting the Wrike password revokes all OAuth2 tokens (permanent access tokens and a pair of access and refresh tokens), but you can use the same Client-ID and Client-Secret to generate new tokens after you have reset your Wrike password (https://developers.wrike.com/oauth-20-authorization/). Let me know if there is anything else I can help you with! 🙌

Lisa K. Community Team at Wrike Wrike Product Manager Become a Wrike expert with Wrike Discover

Lisa K. Wrike Team member Become a Wrike expert with Wrike Discover