Usage of headless users and long-lived tokens for CI usage #25033

ghost · 2026-05-07T11:09:12Z

ghost
May 7, 2026

Hello!

We would like to use automations to perform configuration changes, both to core components (organization sync and related things) and templates. For this purpose, headless users (https://coder.com/docs/admin/users/headless-auth) appears to be the proper solution.

However, headless users can't log in and as such need their access tokens created for them. The only type of user that can create access tokens for other users are Owners (https://coder.com/docs/admin/users/sessions-tokens#generate-a-long-lived-api-token-on-behalf-of-another-user).

Owners are prevented from creating long-lived tokens via the MAX_ADMIN_TOKEN_LIFETIME (https://coder.com/docs/reference/cli/server#--max-admin-token-lifetime) configuration flag, which defaults to 7 days.

My question then is:

How are we supposed to create long-lived tokens for headless users who interact with Coder via CI only?
Are we recommended to modify the MAX_ADMIN_TOKEN_LIFETIME configuration to one year (or more), thus circumventing the security consideration that created the addition of this configuration item?

Also, the obvious question: What am I missing?

jcjiang · 2026-05-07T17:54:42Z

jcjiang
May 7, 2026
Collaborator

Hey there! Appreciate you bringing this up.

You're not missing anything. Unfortunately, this is a known gap. MAX_ADMIN_TOKEN_LIFETIME` applies to all tokens created by Owners, regardless of whether the target is a human admin or a headless service account.

That means your options right now are:

Increase MAX_ADMIN_TOKEN_LIFETIME and use token scoping to limit blast radius

If you raise the limit, you can mitigate security issues by scoping the service account token to only the permissions it needs. Coder supports token scopes (e.g., template:read, workspace:read) and allow lists that restrict what resources a token can access.

Automate token rotation in CI

Keep the default 7-day lifetime and have your CI pipeline rotate the token before expiry. An Owner (or a separate automation credential) calls POST /api/v2/users/{service-account}/keys/tokens on a schedule to issue a fresh token and inject it into CI secrets. This avoids raising the lifetime but adds operational complexity.

Hybrid: modest lifetime increase + rotation

Set MAX_ADMIN_TOKEN_LIFETIME to something like 30 days instead of a year and combine with a monthly rotation job. This approach balances convenience with the exposure window.

We're planning to fill this gap and support finer-grained, per-role or per-user-type token lifetime policies, but I don't have an estimate for when those will land.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Usage of headless users and long-lived tokens for CI usage #25033

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

Usage of headless users and long-lived tokens for CI usage #25033

Uh oh!

ghost May 7, 2026

Replies: 1 comment

Uh oh!

Uh oh!

jcjiang May 7, 2026 Collaborator

ghost
May 7, 2026

jcjiang
May 7, 2026
Collaborator