Uploaded image for project: 'Xray for Jira Cloud'
  1. Xray for Jira Cloud
  2. XRAYCLOUD-10879

Introduce expiration support for Xray Cloud API keys along with fields to display Creation Date and Expiry Date.

    XporterXMLWordPrintable

Details

    • Suggestion
    • Status: New
    • Resolution: Unresolved
    • None
    • None
    • REST API
    • None

    • UNCOVERED

    • 20

    Description

      Description
      Currently, Xray Cloud API keys are generated without any expiration mechanism, meaning they remain valid indefinitely unless manually revoked. This creates potential security and governance challenges, especially for organizations following strict access control and credential lifecycle policies.

      To address this, introduce:

      • A configurable expiry date when creating API keys (e.g., 30/60/90 days or custom date)
      • Additional metadata fields:
        • Created Date
        • Expiry Date
      • Optional alerts or warnings when keys are close to expiration to the user or to the admin.

      User friction

      • Users must manually track API key lifecycle outside the platform
      • Increased risk of long-lived credentials being exposed or misused
      • Lack of auditability makes it difficult to review or enforce compliance policies
      • Security teams cannot enforce standard credential rotation practices

      Steps to reproduce (right now) / Actual Result:

      1. Generate an API key in Xray Cloud
      2. Observe available fields and configuration options

      Actual Result:

      • API key is created with no expiration
      • No visible metadata for creation or expiry
      • Key remains valid indefinitely unless manually revoked

      IMPACT

      • Potential security vulnerability due to permanently active credentials
      • Non-compliance with security best practices (e.g., least privilege, credential rotation)
      • Governance and auditing limitations
      • Increased risk during employee transitions or role changes
        **

      What would improve if solved:

      • Enhanced security posture with controlled credential lifecycle
      • Easier compliance with enterprise policies (ISO, SOC2, etc.)
      • Better visibility and management of API keys
      • Reduced manual burden for tracking and rotating keys
        **

      Impact on stakeholders:

      • Developers: Gain clearer visibility and control over API key validity
      • Security teams: Can enforce rotation policies and reduce risk exposure
      • Admins: Improved governance and auditing capabilities
      • Organizations: Better compliance and reduced operational risk

      Current workaround:

      Manually maintain API key inventory in external tools (spreadsheets, vaults). Periodically revoke and regenerate keys manually.  Use internal policies to enforce manual rotation schedules

      CONTEXT & EXAMPLES:
      Many modern platforms (e.g., AWS, GitHub, Azure) enforce or recommend API key expiration and provide metadata such as creation timestamps and expiry tracking to improve security and governance.
      Concrete example:
      When generating an API key:

      • User selects:
        • Expiration: 60 days
      • UI shows:
        • Created Date: 2026-06-11
        • Expiry Date: 2026-08-10
      • System sends a notification 7 days before expiry
      • Key automatically becomes invalid after expiry

      Workaround risk:

      • Human error in tracking expiration leads to forgotten keys remaining active
      • Delayed revocation increases exposure window if a key is compromised
      • Compliance violations due to lack of enforced lifecycle management

      Attachments

        Activity

          People

            bernardo.cottim Bernardo Cottim
            jayanthi.murthi Jayanthi Murthi
            Votes:
            1 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: