# Managing access tokens

The `auth.accessTokens` setting in Sourcegraph's site configuration allows admins to fine-tune parameters related to access tokens:

```json
{
  "auth.accessTokens": {
    "allow": "all-users-create",
    "allowNoExpiration": false,
    "maxTokensPerUser": 25,
    "expirationOptionDays": [7, 14, 30, 60, 90],
    "defaultExpirationDays": 90
  }
}
```

## Access token creation

The `allow` property permits or restricts the use of access tokens. It can be assigned one of three values:

-   `all-users-create` (default) Enables all users to create access tokens.
-   `site-admin-create` Restricts creation of new tokens to admin users (existing tokens will still work until revoked).
-   `none` Disables access tokens entirely.

The `maxTokensPerUser` property determines the maximum number of active access tokens a user can have. The default maximum is 25 tokens.

## Access token expiration

Admins can set expiration policies for access tokens. After this specified period, tokens will automatically lose their access. Note that tokens created before version 5.3 do not expire; this policy only applies to **new** tokens.

`allowNoExpiration` - Controls whether tokens can be created with no expiration date. The default setting is false.

`expirationOptionDays` - The options users are presented with for the token expiration period. The default options are [7, 14, 30, 60, 90].

`defaultExpirationDays` - The default duration selection when creating a new access token. The default is 90 days.