Changes
- Active user session timeout reduced from 1 year to 30 days
- Inactive user session timeout reduced from 2 weeks to 3 days
Effective November 30, 2025, CircleCI will reduce the inactive user session timeout from 2 weeks to 3 days and active user session timeout from 1 year to 30 days to align with NIST cybersecurity standards and enhance platform security.
What This Means
Active user sessions will be required to re-authenticate after 30 days (previously 1 year). Inactive accounts will be required to re-authenticate after 3 days (previous 2 weeks). SSO customers can still set custom session timeouts via their IdP provider. This change applies to all CircleCI web interface sessions.
Why We’re Making This Change
This update brings CircleCI in line with NIST (National Institute of Standards and Technology) recommended security practices and reduces the risk of unauthorized access from dormant sessions.
Action Required
No immediate action is required. Users who access CircleCI regularly may notice they need to re-authenticate more often.
Timeline
November 30, 2025: New 30-day session timeout takes effect. Existing active user sessions longer than 30 days will be invalidated on this date. In-active user sessions longer than 3 days will be invalidated on this date.