Is your feature request related to a problem?
PATs created via the CLI webauth login flow always have infinite lifetime. The webauth approval page hardcodes the expiry to null when minting the token (frontend/app/webauth/[requestCode]/page.tsx calls generateUserToken(...) with null).
This is despite expiry being fully supported everywhere else:
CreateUserTokenMutation accepts expiry: BigInt (backend/backend/graphene/mutations/environment.py)
UserToken.expires_at exists and is nullable (backend/api/models.py)
- Expiry is enforced on auth (
backend/api/utils/rest.py, token_is_expired_or_deleted)
- The normal "Create token" dialog already lets users pick an expiry (
frontend/utils/tokens.ts)
The CLI webauth path is the only token-creation flow that can't set an expiry.
Describe the solution you'd like
Let the CLI request a token lifetime during webauth login, and honor it:
- Extend the webauth request payload (currently
port-pubKeyHex-patName) to carry an optional requested expiry.
- On the webauth page, parse it and pass it to
generateUserToken(...) / CreateUserTokenMutation as expiry instead of hardcoded null.
- Show the resulting expiry on the approval screen so the user sees how long the token will live.
- No CLI-requested lifetime = current behavior (never expires).
Backend mutation/model changes shouldn't be needed - only the webauth frontend path stops hardcoding null.
Caveat: the payload is hyphen-joined and the token name can itself contain hyphens, so adding an expiry field needs a parse-safe format (not a naive split on -); coordinate with the CLI side.
Describe alternatives you've considered
- Letting the user pick the expiry directly on the webauth approval page, independent of any CLI request. Could complement the CLI-driven value, but the CLI-requested duration is the primary ask.
Additional context
Cross-repo change. CLI side (flag + sending the requested duration) tracked in phasehq/cli#302.
Key files: frontend/app/webauth/[requestCode]/page.tsx (hardcoded null), backend/backend/graphene/mutations/environment.py (CreateUserTokenMutation, already supports expiry).
Is your feature request related to a problem?
PATs created via the CLI webauth login flow always have infinite lifetime. The webauth approval page hardcodes the expiry to
nullwhen minting the token (frontend/app/webauth/[requestCode]/page.tsxcallsgenerateUserToken(...)withnull).This is despite expiry being fully supported everywhere else:
CreateUserTokenMutationacceptsexpiry: BigInt(backend/backend/graphene/mutations/environment.py)UserToken.expires_atexists and is nullable (backend/api/models.py)backend/api/utils/rest.py,token_is_expired_or_deleted)frontend/utils/tokens.ts)The CLI webauth path is the only token-creation flow that can't set an expiry.
Describe the solution you'd like
Let the CLI request a token lifetime during webauth login, and honor it:
port-pubKeyHex-patName) to carry an optional requested expiry.generateUserToken(...)/CreateUserTokenMutationasexpiryinstead of hardcodednull.Backend mutation/model changes shouldn't be needed - only the webauth frontend path stops hardcoding
null.Caveat: the payload is hyphen-joined and the token name can itself contain hyphens, so adding an expiry field needs a parse-safe format (not a naive split on
-); coordinate with the CLI side.Describe alternatives you've considered
Additional context
Cross-repo change. CLI side (flag + sending the requested duration) tracked in phasehq/cli#302.
Key files:
frontend/app/webauth/[requestCode]/page.tsx(hardcodednull),backend/backend/graphene/mutations/environment.py(CreateUserTokenMutation, already supportsexpiry).