Personal access token authentication is used on APIs that are designed to be accessed by other software in a programmatic way and where OpenID Connect is therefore not an option.
When accessing an API endpoint using personal access token authentication the given personal access token is validated as follows:
1.Check if the given token matches a PAT of a user in Client Service.
2.Check if the expiration date of the matched PAT is less or equal to the current date and time.
3.Check if the user owning the PAT is not in life-cycle status deleted.
Authentication will be only successful if all of the above checks succeed.
