Fix inconsistencies with `expires_at` access token

Fix mistakes regarding what happens if `expires_at` is not defined in two situations. * Creating tokens: maximum allowable time * Rotating tokens: one week We use the same language everywhere for consistency.

Fix inconsistencies with `expires_at` access token
5d6da788 · Eduardo Sanz García · GitLab · 8b2766e7 · 5d6da788 · 5d6da788
--- a/doc/api/group_access_tokens.md
+++ b/doc/api/group_access_tokens.md
@@ -117,7 +117,7 @@ POST /groups/:id/access_tokens
 | `name` | String | yes | Name of the group access token  |
 | `scopes` | `Array[String]` | yes | [List of scopes](../user/group/settings/group_access_tokens.md#scopes-for-a-group-access-token) |
 | `access_level` | Integer | no | Access level. Valid values are `10` (Guest), `15` (Planner), `20` (Reporter), `30` (Developer), `40` (Maintainer), and `50` (Owner). |
-| `expires_at` | Date    | yes | Expiration date of the access token in ISO format (`YYYY-MM-DD`). The date cannot be set later than the [maximum allowable lifetime of an access token](../user/profile/personal_access_tokens.md#access-token-expiration). |
+| `expires_at` | Date    | yes | Expiration date of the access token in ISO format (`YYYY-MM-DD`). If undefined, the date is set to the [maximum allowable lifetime limit](../user/profile/personal_access_tokens.md#access-token-expiration). |

 ```shell
 curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" \
@@ -164,7 +164,7 @@ POST /groups/:id/access_tokens/:token_id/rotate
 |-----------|------------|----------|---------------------|
 | `id` | integer or string  | yes      | ID or [URL-encoded path of the group](rest/index.md#namespaced-paths) |
 | `token_id` | integer | yes | ID of the access token |
-| `expires_at` | date    | no       | Expiration date of the access token in ISO format (`YYYY-MM-DD`). [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/416795) in GitLab 16.6. |
+| `expires_at` | date    | no       | Expiration date of the access token in ISO format (`YYYY-MM-DD`). [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/416795) in GitLab 16.6. If undefined, the token expires after one week. |

 ```shell
 curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/<group_id>/access_tokens/<token_id>/rotate"

--- a/doc/api/group_service_accounts.md
+++ b/doc/api/group_service_accounts.md
@@ -141,7 +141,7 @@ Parameters:
 | `user_id` | integer | yes      | The ID of a service account user.                            |
 | `name`    | string  | yes      | The name of the personal access token. |
 | `scopes`  | array   | yes      | Array of scopes of the personal access token. See [personal access token scopes](../user/profile/personal_access_tokens.md#personal-access-token-scopes) for possible values. |
-| `expires_at` | date | no      | The personal access token expiry date. When left blank, the token follows the [standard rule of expiry for personal access tokens](../user/profile/personal_access_tokens.md#access-token-expiration). To specify no expiration date, omit this key. |
+| `expires_at` | date | no      | Expiration date of the access token in ISO format (`YYYY-MM-DD`). If undefined, the date is set to the [maximum allowable lifetime limit](../user/profile/personal_access_tokens.md#access-token-expiration). |

 Example request:


--- a/doc/api/personal_access_tokens.md
+++ b/doc/api/personal_access_tokens.md
@@ -213,7 +213,7 @@ Example response:

 ## Rotate a personal access token

-Rotate a personal access token. Revokes the previous token and creates a new token that expires in one week
+Rotate a personal access token. Revokes the previous token and creates a new token that expires in one week.

 You can either:

@@ -224,7 +224,7 @@ You can either:

 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/403042) in GitLab 16.0

-In GitLab 16.6 and later, you can use the `expires_at` parameter to set a different expiry date. This non-default expiry date can be up to a maximum of one year from the rotation date.
+In GitLab 16.6 and later, you can use the `expires_at` parameter to set a different expiry date. This non-default expiry date is subject to the [maximum allowable lifetime limits](../user/profile/personal_access_tokens.md#access-token-expiration).

 ```plaintext
 POST /personal_access_tokens/:id/rotate
@@ -233,7 +233,7 @@ POST /personal_access_tokens/:id/rotate
 | Attribute | Type      | Required | Description         |
 |-----------|-----------|----------|---------------------|
 | `id` | integer/string | yes      | ID of personal access token |
-| `expires_at` | date   | no       | Expiration date of the access token in ISO format (`YYYY-MM-DD`). [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/416795) in GitLab 16.6. |
+| `expires_at` | date   | no       | Expiration date of the access token in ISO format (`YYYY-MM-DD`). [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/416795) in GitLab 16.6. If undefined, the token expires after one week. |

 NOTE:
 Non-administrators can rotate their own tokens. Administrators can rotate tokens of any user.
@@ -277,7 +277,7 @@ Requires:

 - `api` scope.

-You can use the `expires_at` parameter to set a different expiry date. This non-default expiry date can be up to a maximum of one year from the rotation date.
+In GitLab 16.6 and later, you can use the `expires_at` parameter to set a different expiry date. This non-default expiry date is subject to the [maximum allowable lifetime limits](../user/profile/personal_access_tokens.md#access-token-expiration).

 ```plaintext
 POST /personal_access_tokens/self/rotate

--- a/doc/api/project_access_tokens.md
+++ b/doc/api/project_access_tokens.md
@@ -123,7 +123,7 @@ POST projects/:id/access_tokens
 | `name` | string | yes | Name of the project access token                                                                                                               |
 | `scopes` | `Array[String]` | yes | [List of scopes](../user/project/settings/project_access_tokens.md#scopes-for-a-project-access-token)                               |
 | `access_level` | integer | no | Access level. Valid values are `10` (Guest), `15` (Planner), `20` (Reporter), `30` (Developer), `40` (Maintainer), and `50` (Owner). Defaults to `40`. |
-| `expires_at` | date    | yes | Expiration date of the access token in ISO format (`YYYY-MM-DD`). The date cannot be set later than the [maximum allowable lifetime of an access token](../user/profile/personal_access_tokens.md#access-token-expiration). |
+| `expires_at` | date    | yes | Expiration date of the access token in ISO format (`YYYY-MM-DD`). If undefined, the date is set to the [maximum allowable lifetime limit](../user/profile/personal_access_tokens.md#access-token-expiration). |

 ```shell
 curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" \
@@ -170,7 +170,7 @@ POST /projects/:id/access_tokens/:token_id/rotate
 |-----------|------------|----------|---------------------|
 | `id` | integer or string  | yes      | ID or [URL-encoded path of the project](rest/index.md#namespaced-paths) |
 | `token_id` | integer | yes | ID of the project access token |
-| `expires_at` | date    | no       | Expiration date of the access token in ISO format (`YYYY-MM-DD`). [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/416795) in GitLab 16.6. |
+| `expires_at` | date    | no       | Expiration date of the access token in ISO format (`YYYY-MM-DD`). [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/416795) in GitLab 16.6. If undefined, the token expires after one week. |

 ```shell
 curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/<project_id>/access_tokens/<token_id>/rotate"

--- a/doc/api/user_keys.md
+++ b/doc/api/user_keys.md
@@ -158,7 +158,7 @@ Supported attributes:
 |:-------------|:-------|:---------|:------------|
 | `title`      | string | yes      | Title for key |
 | `key`        | string | yes      | Public key value |
-| `expires_at` | string | no       | Expiration date of the key in ISO 8601 format (`YYYY-MM-DDTHH:MM:SSZ`) |
+| `expires_at` | string | no       | Expiration date of the key in ISO format (`YYYY-MM-DD`). |
 | `usage_type` | string | no       | Usage scope for the key. Possible values: `auth`, `signing` or `auth_and_signing`. Default value: `auth_and_signing` |

 Returns either:
@@ -214,7 +214,7 @@ Supported attributes:
 | `id`         | integer | yes      | ID of user account |
 | `title`      | string  | yes      | Title for key |
 | `key`        | string  | yes      | Public key value  |
-| `expires_at` | string  | no       | Expiration date of the key in ISO 8601 format (`YYYY-MM-DDTHH:MM:SSZ`) |
+| `expires_at` | string  | no       | Expiration date of the access token in ISO format (`YYYY-MM-DD`). |
 | `usage_type` | string  | no       | Usage scope for the key. Possible values: `auth`, `signing` or `auth_and_signing`. Default value: `auth_and_signing` |

 Returns either:

--- a/doc/api/user_tokens.md
+++ b/doc/api/user_tokens.md
@@ -91,7 +91,7 @@ Supported attributes:
 | `name`       | string | yes      | Name of personal access token |
 | `description`| string | no       | Description of personal access token |
 | `scopes`     | array  | yes      | Array of approved scopes. Only accepts `k8s_proxy`. |
-| `expires_at` | array  | no       | Expiration date of the access token in ISO format (`YYYY-MM-DD`). If undefined, token expires at the end of the current day. Subject to the [maximum allowable lifetime limits](../user/profile/personal_access_tokens.md#access-token-expiration). |
+| `expires_at` | array  | no       | Expiration date of the access token in ISO format (`YYYY-MM-DD`). If undefined, the date is set to the [maximum allowable lifetime limit](../user/profile/personal_access_tokens.md#access-token-expiration). |

 Example request:

@@ -247,8 +247,8 @@ Supported attributes:
 | `user_id`    | integer | yes      | ID of user account |
 | `name`       | string  | yes      | Name of impersonation token |
 | `description`| string  | no       | Description of impersonation token |
-| `expires_at` | date    | yes      | Expiration date of the impersonation token in ISO format (`YYYY-MM-DD`) |
-| `scopes`     | array   | yes      | Array of approved scopes. For a list of possible values, see [Personal access token scopes](../user/profile/personal_access_tokens.md#personal-access-token-scopes):  |
+| `expires_at` | date    | yes      | Expiration date of the impersonation token in ISO format (`YYYY-MM-DD`). If undefined, the date is set to the [maximum allowable lifetime limit](../user/profile/personal_access_tokens.md#access-token-expiration). |
+| `scopes`     | array   | yes      | Array of approved scopes. For a list of possible values, see [Personal access token scopes](../user/profile/personal_access_tokens.md#personal-access-token-scopes).  |

 Example request:


--- a/doc/development/internal_api/index.md
+++ b/doc/development/internal_api/index.md
@@ -332,7 +332,7 @@ personal access token.
 |:----------|:-------|:---------|:------------|
 | `name` | string | yes | The name of the new token |
 | `scopes` | string array | yes | The authorization scopes for the new token, these must be valid token scopes |
-| `expires_at` | string | no | The expiry date for the new token |
+| `expires_at` | string | no | Expiration date of the access token in ISO format (`YYYY-MM-DD`). |
 | `key_id`  | integer | no | The ID of the SSH key used as found in the authorized-keys file or through the `/authorized_keys` check |
 | `user_id` | integer | no | User ID for which to generate the new token |