Problem
ASTA_TOKEN (the credential the asta-plugins skills authenticate with at runtime) currently expires after 30 days. That's fine for an interactive human who re-auths periodically, but it's a recurring failure mode for unattended service accounts and bots.
In gas2own we just plumbed ASTA_TOKEN through every environment that drives an agent — local docker-run, the GCP VM, and the Cloud Run dispatcher — via Secret Manager (gas2own-asta-token) so the baked asta-plugins skills can authenticate (see allenai/gas2own#163). The gas2own dispatcher runs fully unattended (triggered by Slack/GitHub events), so a 30-day expiry means:
- the token silently goes stale, and
- every skill call that needs Asta auth starts failing ~once a month, with
- no human in the loop to notice or refresh it until something breaks.
Rotating a Secret Manager value every 30 days by hand isn't a viable operating model for a bot.
Ask
Provide a long-lived (or non-expiring / auto-renewable) token mechanism for service accounts and bots — something a headless agent can use without a 30-day manual refresh. Options worth considering:
- A dedicated service-account token type with a long (or configurable) TTL.
- A refresh-token / client-credentials flow the agent can run non-interactively to mint short-lived tokens on demand.
- Documented rotation guidance if long-lived tokens are intentionally not offered, so consumers can automate renewal.
Context / links
- gas2own PR: allenai/gas2own#163 (registers the asta-plugins skill catalog in all gas2own environments and wires
ASTA_TOKEN through GCP/terraform).
- Requested by @robe-ai2: "currently ASTA_TOKEN expires after 30 days ... we need a long-lived token for service accounts / bots going forward."
Problem
ASTA_TOKEN(the credential the asta-plugins skills authenticate with at runtime) currently expires after 30 days. That's fine for an interactive human who re-auths periodically, but it's a recurring failure mode for unattended service accounts and bots.In gas2own we just plumbed
ASTA_TOKENthrough every environment that drives an agent — localdocker-run, the GCP VM, and the Cloud Run dispatcher — via Secret Manager (gas2own-asta-token) so the baked asta-plugins skills can authenticate (see allenai/gas2own#163). The gas2own dispatcher runs fully unattended (triggered by Slack/GitHub events), so a 30-day expiry means:Rotating a Secret Manager value every 30 days by hand isn't a viable operating model for a bot.
Ask
Provide a long-lived (or non-expiring / auto-renewable) token mechanism for service accounts and bots — something a headless agent can use without a 30-day manual refresh. Options worth considering:
Context / links
ASTA_TOKENthrough GCP/terraform).