Multiple auth tokens

[iszulcdeepsense]

We're looking into potentially changing (probably not right now), an ESC token. We assume a newly generated token will replace the currently active, is this correct? Is there a future world where we can have concurrent active tokens, with associated activation datetimes, and select which ones to deactivate?

The question was triggered by an ESC asking if they're required to change the token (I believe the answer is no), but I got thinking of the possibility of this. We cannot generate a new token for them without it overwriting their current one, naturally resulting in errors in PROd during the transition and token handover.

Yeah I understand that 1-to-many tokens requires good process for cleanup

There is only one token associated with the ESC right now. Let's consider having multiple tokens, if there's a need. There's a workaround. You can have 2 ESCs: "mr blue" & "mr green" and assign them the same permissions (yes, it's laborious). After they switch, deactivate the old one.

In short, having multiple tokens would facilitate the process of switching to a new token. However, there's a risk we'll end up with a ton of unused, obsolete tokens, so maybe tracking the date when the token was in-use last time would be insightful in the cleanup process.

(issue reported by Veronica)

[JosefAssadERST]

So here we've landed on going 1-to-many on ESCs to auth tokens, and then giving the portfolio manager a way to scan for dead or unused tokens, right?

[iszulcdeepsense]

So here we've landed on going 1-to-many on ESCs to auth tokens, and then giving the portfolio manager a way to scan for dead or unused tokens, right?

Exactly.