At present, all API keys for a user (service account user or 'real' user) do not have an expiry date.

As a result, non-required API keys can potentially leave access open via this key.

The suggestion would be to:
- allow users to specify the duration of the API key/token
- allow admins to specify the possible durations available to users/roles (e.g. administraters can stop users selecting 'unlimited' duration, and only allow 30, 60 or 90 days, for example)