Support short-lived API tokens and fine-grained rate limits

[HackingRepo]

I would like to suggest adding support for short-lived API tokens that can expire in minutes or hours, instead of the current options of days, months, or years.

This would improve security significantly: if a token is leaked or stolen, it would quickly become invalid, preventing unauthorized access. Currently, long-lived tokens present a risk if exposed, and short-lived tokens would help mitigate that.

Thank you for considering this feature. It would make automation, CI/CD workflows, and general security on crates.io much safer.

[Turbo87]

maybe https://crates.io/docs/trusted-publishing is what you're looking for?

regular API tokens can only be issued through the user interface, so if such an API token was only valid for minutes it wouldn't be particularly useful.

if you really want something short lived like that then you can always revoke the token after usage.

[HackingRepo]

No but short token, You need them sometime, Just introduce hours and minutes support not by default by example the user select custom and put the minute example 10 after this will work.

[Turbo87]

but why? what for? what is solved by that, that isn't addressed by my suggestions?

[HackingRepo]

The idea isn’t to change the default behavior — it’s mainly to cover cases where short-lived tokens are needed for testing, demos, or temporary access without reconfiguring global defaults.

Adding optional support for specifying minutes or hours (e.g., via a “custom” selection) would simply give users more flexibility while keeping existing behavior unchanged.

[Turbo87]

what about "if you really want something short lived like that then you can always revoke the token after usage"?