Built by an engineer who got tired of 2 a.m. token-expiry pages

Why this exists

I've shipped and operated systems on Azure long enough to have lived through the same incident more than once: a background job stops working, a SAML integration suddenly 401s, a CI pipeline starts failing without a code change. You dig in, you discover a client secret expired sometime overnight, and you spend the next hour rotating it, redeploying, and writing an apology to whoever noticed first.

The Azure Portal will show you when a secret expires. It just won't tell you about it. There's no built-in expiration alerting, no centralized view across App Registrations, no webhook into your incident channel. Every team I've worked with eventually reinvents the same thing — a brittle PowerShell script, a Logic App, a spreadsheet someone updates by hand.

Token Watch is the version of that I always wanted: read-only, no secrets stored, set up in a minute, and loud enough to actually wake you up before production does.

Principles

• Read-only, always. We ask for the minimum Graph permissions to see expirations — nothing that can modify your tenant.
• No secrets leave your tenant. We pull metadata (names, expiration dates, key IDs). Actual secret values stay where they belong.
• Boring is good. Monitoring should be the dullest thing in your stack. No dashboards you have to remember to look at.
• Real alerts, not noise. Email or webhook, on a schedule that matches how your team actually responds — not a firehose.