Invalidate REST API token


Hi! Is there a possibility to automatically invalidate access tokens after a period of time? I am talking about rc_token which gets set as a cookie once logged in. Even if I set the “Login expiration in days” to 1 in the Admin settings, I can still do REST API calls indefinitely after 1 day by setting the X-Auth-Token to whatever the rc_token was.

I came across this “official” answer from a Rocket.Chat employee saying Currently the authentication tokens obtained via the Rocket.Chat REST API have no expiration date.

I wonder if that changed somehow during the last 3 years :slightly_smiling_face: can anyone help?