Fix(access_tokens): expires_at field not required anymore (!209400) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

This MR makes the expires_at field optional when creating project and group access tokens via the API, aligning the behavior with personal access tokens.

Before: The expires_at field was required with a hardcoded default value, which didn't respect the instance-level require_personal_access_token_expiry setting.

After:

When expires_at is provided → uses the specified date
When expires_at is omitted and require_personal_access_token_expiry is enabled → applies the default expiration (365 days)
When expires_at is omitted and require_personal_access_token_expiry is disabled → creates a token with no expiration

This change enables Terraform Provider users to create tokens without explicitly setting expiration dates, matching the behavior of personal access tokens.

References

group access tokens

project access tokens

resolves #574745

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited Oct 21, 2025 by Aboobacker MK

Fix(access_tokens): expires_at field not required anymore

What does this MR do and why?

References

MR acceptance checklist

Merge request reports