Skip to content

[Bug]: Key expiration uses budget reset logic instead of duration calculation #15142

New issue
New issue
Open
#15136
Open
[Bug]: Key expiration uses budget reset logic instead of duration calculation#15142
#15136
Labels
bugSomething isn't workingmlops user request
@JVenberg

Description

@JVenberg
JVenberg
opened on Oct 2, 2025

What happened?

A bug happened!API keys created with a duration parameter expire at standardized intervals (e.g., 1st of next month) instead of expiring based on the actual duration from creation time.

Example:

  • Create key on October 15th with duration="1mo"
  • Current behavior: Key expires November 1st (only 16 days)
  • Expected behavior: Key expires November 15th (full 30 days)

Why This Is a Bug

1. Violates Standard Duration Semantics

Standard behavior across software systems (AWS IAM, JWT tokens, TLS certificates) is to calculate duration from creation time. A key created on Jan 31 with duration="1mo" should not expire on Feb 1 (next day).

2. Breaks Security Policy Enforcement

Organizations cannot enforce consistent key rotation policies when:

  • Keys created on day 1 last approximately 30 days
  • Keys created on day 31 last approximately 1 day
  • Cannot reliably verify compliance requirements

3. Confuses Two Distinct Use Cases

Budget Reset: Designed for financial tracking, uses standardized intervals (1st of month)
Key Expiration: Designed for security, should use relative time from creation

The bug occurs because generate_key_helper_fn (line 1681) incorrectly uses get_budget_reset_time() for key expiration instead of relative time calculation.

Root Cause

File: litellm/proxy/management_endpoints/key_management_endpoints.py:1681

# Current (buggy)
expires = get_budget_reset_time(budget_duration=duration)

# Expected
duration_s = duration_in_seconds(duration=duration)
expires = datetime.now(timezone.utc) + timedelta(seconds=duration_s)

Impact

  • Unpredictable key expiration times
  • Cannot automate key rotation reliably
  • Security policies cannot be enforced consistently
  • Compliance requirements cannot be met

Fix

PR: #15136

Changes line 1681 to use proper relative time calculation while keeping budget reset functionality unchanged. Only affects NEW keys (existing keys retain current expiration dates).

Relevant log output

N/A - This is a logic bug in the key generation code, not a runtime error.

Are you a ML Ops Team?

Yes

What LiteLLM version are you on ?

v1.76.3.rc.1

Twitter / LinkedIn details

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingmlops user request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions