This topic describes the security guidelines of access tokens.
To ensure the security of access tokens, Alibaba Cloud DevOps displays the tokens only when they are first created and returned. In subsequent requests, users cannot obtain the original tokens again. Alibaba Cloud DevOps also encrypts and stores your tokens to ensure their security during storage.
When you request and use tokens, follow the security guidelines such as minimal authorization, secure storage, and careful use to reduce potential security risks.
Token authorization
When you create a token, select the permissions and the validity period for the token. Follow the Principle of Least Privilege (PoLP) to grant the permissions necessary for the intended use only and set the validity period to the shortest interval needed. Do not set it as permanent.
A token inherits the maximum access and operation capabilities of its creator, but its actual permissions are constrained by the API scopes selected during its creation. Tokens cannot grant users additional access permissions.
Secure storage
Handle authentication credentials in the same way as you handle passwords or other sensitive information:
Do not share tokens through unencrypted messages or systems such as email, IM, or other communication tools.
Do not use plain text for tokens on the command line.
Do not add unencrypted tokens to uncontrolled systems such as public code repositories.
Careful use
Do not hard code tokens in your code or share them in public repositories. Store tokens in environment variables and use these variables to add the token in your API requests. This helps avoid token leakage by unauthorized access, which might cause data breach risks.
Do not use permanent tokens. Update tokens regularly.
Remove tokens immediately if you find they have been leaked.