At a glance
Days remaining before the merchant’s DPDLocal API credential rotates or expires. DPDLocal’s API uses GeoSession JWTs (~1 hour TTL) backed by long-lived account credentials; this card surfaces the long-lived credential’s rotation window. A token expiry that hits zero stops every operation: label printing, tracking poll, claims sync.
| What it counts | expiryTimestamp - now() for the active DPDLocal account credential. The credential is typically a username/password pair (account-scoped) or a delegated token that DPD support has issued for headless integration; rotation cadence is set by the merchant’s IT security policy or by DPD’s mandatory rotation. |
| GeoSession JWT vs account credential | This card tracks the account credential, not the per-session JWT. JWTs auto-refresh on each call. The account credential is the human-managed thing that needs rotating manually. |
| Polling | The connector reads the credential record’s expiry metadata on each scheduled health check (every 15 minutes by default). |
| Failure modes if the count hits 0 | Label generation API returns 401; tracking poll fails; the entire DPDLocal connector goes red. CS workflows that auto-create labels on order receipt back up immediately. |
| Time window | RT (real-time, not windowed) |
| Alert trigger | <14 days. Two-week lead is enough for a typical IT ticket-and-rotation workflow. |
| Roles | owner, operations |
Calculation
Calculated automatically from your DPDLocal data. See the At a glance summary above for what the metric tracks and the worked example below for a typical reading.Worked example
A UK pet-supplies DTC merchant with 12,000 monthly DPDLocal parcels. IT manages a single shared service account with a 90-day rotation policy. Reading taken 12 Mar 26.| Date | Days to expiry | Status |
|---|---|---|
| 12 Mar 26 (today) | 23 days | Healthy |
| 28 Mar 26 (T-13) | 7 days | Critical alert (under <14) |
| 04 Apr 26 (T-0) | 0 | Connector goes red, label printing breaks |
- Rotation reminder is a calendar item, not an emergency. The current 23 days gives the operations team comfortable lead time to put a ticket on the IT board for credential rotation, schedule a maintenance window, and re-key the connector without a Saturday-night incident.
- Don’t wait for the alert. Best practice is to schedule rotation at least 30 days before expiry. The
<14 daysalert is the safety net; the calendar reminder at 30 days is the discipline.
Sibling cards merchants should reference together
| Card | Why pair it with Days to Token Expiry |
|---|---|
| API Error Rate | Rising 401 errors on the same connector = credential is failing before formal expiry; rotate immediately. |
| GeoSession Auth Risk | The session-token (1h JWT) view; flags persistent re-auth failures. Different layer, related concern. |
| Label Generation Success | Auth failures cascade into label-print failures within minutes. |
Reconciling against the vendor’s own dashboard
Where to look in DPDLocal: MyDPD Business Portal → Account → API Credentials lists the active credentials and their expiry windows. DPDLocal does not expose a direct API endpoint for this; the card uses the connector-stored expiry record (set at connector configuration time, refreshed on each rotation). Why our number may legitimately differ:| Reason | Direction | Why |
|---|---|---|
| Manual rotation in MyDPD without re-keying the connector | Ours stale | If IT rotates the credential in MyDPD but does not update Vortex IQ’s connector config, the card still shows the old expiry; meanwhile the connector starts failing 401. Watch API Error Rate as the canary. |
| Multiple credentials per realm | Card scoped | Some merchants run separate credentials per warehouse or per brand. The card shows the credential the connector is currently using; rotate them all if you rotate one. |
Known limitations / merchant FAQs
Why does this card matter? Aren’t the JWTs auto-refreshed? Two layers. The 1-hour GeoSession JWT auto-refreshes silently. The underlying account credential (username/password or service-account secret) does not auto-refresh, it must be rotated manually. When the account credential expires, the JWT refresh fails, and every operation against DPDLocal stops. This card tracks the manual rotation deadline. Who owns the rotation? Usually the merchant’s IT or operations team. Best practice: a quarterly calendar reminder in the IT ticketing system, with a 30-day-before-expiry trigger that aligns with this card’s<14 days alert.
The card shows 0 days but the connector is still working. Why?
Two possibilities. (1) DPDLocal granted a grace period on the credential (uncommon but documented). (2) The expiry metadata is stale because IT rotated in MyDPD but did not update the connector config. Either way, re-validate by attempting a label print; if successful, refresh the connector config to clear the stale expiry.
Can I extend the rotation cadence?
DPD’s recommended rotation is 90 days. Some merchants negotiate 180 days for low-risk read-only credentials. Anything longer is generally not granted because of DPD’s own security policy.
What breaks first when the credential expires?
Label-printing API calls return 401, which cascades into the label-printing apps the operations team uses (e.g. ShipStation, Veeqo). Tracking polls also fail; tracking events stop flowing. CS visibility into in-flight parcels goes dark within 30 minutes.
Should I rotate during peak (BFCM)?
No. Schedule rotation at least 30 days before BFCM and at least 14 days after; the credential rotation needs a re-key window which (rarely) takes longer than expected. A failed rotation during peak is a service-level event.