Disable "Rotate your Matomo personal access token" emails?

cc1 · September 1, 2025, 8:21am

Does anyone know if it is possible to disable the ”Reminder: Rotate your Matomo personal access token” emails?

And if not is there a way to increase the 180 days to a higher value?

I have a a lot of Matomo instances with client accounts managed via Ansible and if clients do update their personal access tokens then the automation that is in place to automatically configure their WordPress sites to generate Matomo stats will break…

Schwuuuuup · September 1, 2025, 9:03am

I have the same problem, this Email just went out to 1000+ users, that were added automatically to Matomo and of which many don’t even know that they have a matomo account.

The users are authenticated via LDAP so I don’t know if the mentioned token even is relevant or needed.

This mail will trigger many questions at our support desk. Best case scenario they want to change their password because non-techie Non-native speakers won’t know what a “Token” is. But many will see this terribly worded Mail as a phising attempt and complain about it!

This NEEDS to be configurable and better yet, be able to be turned off.

cc1 · September 2, 2025, 9:20am

There is a GitHub issue for this here:

github.com/matomo-org/matomo

[Bug] Matomo sent out AuthTokenRotationNotificationEmail to all users ... that do not even use Matomo actively

opened 07:01AM - 30 Aug 25 UTC

the0ne

Potential Bug triaged

### What happened? Yesterday matomo decided it would be a good idea to send a n…otification to all users on our system: **"Reminder: Rotate your Matomo personal access token"** We're not happy with that. We're using matomo since several years, though not really actively. We're a non-profit web hoster and have our system basically create the webspace automatically, including a ready-setup matomo account. Most users never put the matomo tracking into their websites, but someone wants to use matomo it's really easy for them. Now it looks like that over the years, matomo itself - without us noting or caring - has created entries in table 'piwik_user_token_auth' for each of those webspaces during some upgrade, as the 'description' column for each entry contains the string 'Created by Matomo 4 migration'. Reading the matomo issues list it looks (see [#18216](https://github.com/matomo-org/matomo/issues/18216#issuecomment-974013789)) like by creating a new file config/config.php containing ``` <?php return [ 'observers.global' => \DI\add([ ['Mail.shouldSend', \DI\value(function (&$shouldSendMail, $mail) { if ($mail instanceof \Piwik\Plugins\UsersManager\Emails\AuthTokenRotationNotificationEmail) { $shouldSendMail = false; } })], ]), ]; ``` it should be possible to stop this. But maybe it would be wise for matomo to only send the notice ... I don't know * if the account is actually used for tracking and * if the token was not created automatically What do you think? Will the code above stop Matomo from sending this notification again? ### What should happen? Matomo should not send a notice to users that did not actually generate tracking data ever, but more important Matomo should not send a notice to users that only have a token that Matomo self-generated during an upgrade! ### How can this be reproduced? Install Matomo version from 2014, create user accounts, then upgrade over the years until you reach the current version. ### Matomo version 5.4.0 ### PHP version 8.1.2-1ubuntu2.22 ### Server operating system _No response_ ### What browsers are you seeing the problem on? Not applicable (e.g. an API call etc.) ### Computer operating system _No response_ ### Relevant log output ```shell ``` ### Validations - [x] Read our [Contributing Guidelines](https://github.com/matomo-org/matomo/blob/5.x-dev/CONTRIBUTING.md). - [x] Follow our [Security Policy](https://github.com/matomo-org/matomo/blob/5.x-dev/SECURITY.md). - [x] Check that there isn't already an issue that reports the same bug to avoid creating duplicates. - [x] The provided steps to reproduce is a [minimal reproducible](https://stackoverflow.com/help/minimal-reproducible-example) of the Bug.