@DMehaffy There are cases where security is a concern and API tokens MUST expire, e.g. internet banking… Strapi behaviour regarding ever tokens is correct since there are lots of framworks handling tokens in various ways, but for the above mentioned concern the token management must be deferred to a third party service. Strapi has a built-in mecanism for this case (I can’t find it in docs right now), or the second option is to proxy strapi access like I did in my strapi-access-proxy project.