API token should be able to have a lifetime max set by org

We currently can audit api tokens manually using api-access-audit.
We do not want tokens to remain the same forever for security purposes, and would love an automated token maximum lifetime. Ideally this would have the token auto rotated and notify the developer of it, allowing them to grab the new API_TOKEN.
Alternatively, the developer would be notified when their old token expires, and than need to make a new one by a certain date, as their old one deactivates.