3.13: Configure the access token lifetime on the ssh CLI
28 views
Skip to first unread message
Nils Wireklint
7:35 AM (9 hours ago) 7:35 AM
to Repo and Gerrit Discussion
Hi.
I return to my tinkering with access tokens now and reallize that one can't configure the lifetime of the token on the SSH API. I would like to create a short-lived token that I do my best to clean up within the tool, but as there are many scenarios where my process is killed without fully running the cleanup code I would like to have the lifetime be bounded to a short lifetimes so I don't accidentally leak resources in the user's account.
Nils Wireklint
7:37 AM (9 hours ago) 7:37 AM
to Repo and Gerrit Discussion
The lifetime is configurable in the REST API but there's the chicken and egg problem where I want to bootstrap access to the REST API with this call over SSH.
Matthias Sohn
8:12 AM (9 hours ago) 8:12 AM
to Nils Wireklint, Repo and Gerrit Discussion
On Tue, May 19, 2026 at 1:37 PM 'Nils Wireklint' via Repo and Gerrit Discussion <repo-d...@googlegroups.com> wrote:
The lifetime is configurable in the REST API but there's the chicken and egg problem where I want to bootstrap access to the REST API with this call over SSH.
And how do you upload a public ssh key ?
tisdag 19 maj 2026 kl. 13:35:15 UTC+2 skrev Nils Wireklint:Hi.
I return to my tinkering with access tokens now and reallize that one can't configure the lifetime of the token on the SSH API. I would like to create a short-lived token that I do my best to clean up within the tool, but as there are many scenarios where my process is killed without fully running the cleanup code I would like to have the lifetime be bounded to a short lifetimes so I don't accidentally leak resources in the user's account.
--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/repo-discuss/68f32af4-6a69-4498-977e-2db88ad9da7bn%40googlegroups.com.
Nils Wireklint
8:27 AM (9 hours ago) 8:27 AM
to Repo and Gerrit Discussion
Good question, yes.
I don't. All the developers have already done that manually, so we clone the repositories over ssh. But I can not currently require them to also create an HTTP password or an access token for tool use.
So my tool starts with SSH access and would like to call the submitted_together API, which is not currently available in the SSH API,
and I think the shortest path to that is to use an ephemeral access token, that we can generate over SSH, then call the REST API and cleanup the access token.
If we had submitted together over SSH I could use that directly, but I do think that is a larger lift than this.
I could take a look if you think it is a good idea and would prefer that I did the work.
Thanks
I don't. All the developers have already done that manually, so we clone the repositories over ssh. But I can not currently require them to also create an HTTP password or an access token for tool use.
So my tool starts with SSH access and would like to call the submitted_together API, which is not currently available in the SSH API,
and I think the shortest path to that is to use an ephemeral access token, that we can generate over SSH, then call the REST API and cleanup the access token.
If we had submitted together over SSH I could use that directly, but I do think that is a larger lift than this.
I could take a look if you think it is a good idea and would prefer that I did the work.
Thanks
Reply all
Reply to author
Forward
0 new messages