Hey @noorbasha534
Honestly, I really understand your pain around token management. I face the same situation myself and it can definitely become a headache, especially when you have multiple technologies in play, some of them open-source, and even cases where you end up overlapping tools that essentially try to do the same job.
From my experience, the best approach is to use a central system such as Secret Manager or Azure Key Vault as the secure place to store these PATs. If thatโs not possible, then try to rely on role assumptions so that machines or services can fetch the required secrets dynamically without embedding them everywhere.
When it comes to rotation, my recommendation is to use the same system for creation and rotation. For example, if you create PATs via Terraform, avoid rotating them with a separate Cloud Function or Lambda, otherwise youโll constantly introduce drift. A better pattern is to leverage reporting capabilities to identify tokens that are about to expire, and then have a process that both rotates and notifies stakeholders. Iโve implemented this email system with the Graph API client to avoid spams.
Itโs also worth noting that if you work with Service Principals, youโll need PATs anyway since theyโre not human users. And even if you move to OAuth, you still face expiration periods โ meaning youโll have to reconnect or refresh sessions, which can also break ingestion pipelines or refreshes. For example, Iโve seen this happen with Power BI dashboards, where failed refreshes were reported just because the OAuth token had expired for the assigned user.
Hope this helps, ๐
Isi