Token API
The Privacy API relies on a long-lived (tentatively: 3 years) root Certificate Authority (CA) for authentication.
The keys responsible for signing privacy access tokens (PATs) are rotated weekly, with privacy access tokens accepted for two (2) weeks. Privacy access tokens are signed by the currently active root certificate and thus have an upper bound lifetime of two (2) weeks.