API access tokens must be configured to expire.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-274680 | SRG-APP-000400-API-000860 | SV-274680r1143713_rule | CCI-002007 | medium |
| Description | ||||
| API access tokens are short-lived credentials used to authenticate and authorize API requests. They are included in request headers to grant access to protected resources without requiring user credentials each time. To enhance security, they must have expiration times and require renewal through refresh tokens. If cached authentication information is out of date, the validity of the authentication information may be questionable. | ||||
| STIG | Date | |||
| Application Programming Interface (API) Security Requirements Guide | 2025-09-24 | |||
Details
Check Text (C-274680r1143713_chk)
Verify API access tokens are configured to expire according to organizational defined parameters.
If API access tokens are not configured to expire according to organizational defined parameters, this is a finding.
Fix Text (F-78686r1143476_fix)
Build or configure API access tokens to expire according to organizational defined parameters.