Safely using serviceaccounts for external authentication

Hello all,

I hope the Kubernetes community can help me to find a solution/direction for my use case.

We want to authenticate external systems to the Kubernetes API using service account tokens.
Unfortunatly these tokens are not rotated and therefor impose a use risk when they are stolen or leaked.

Are there peoplo who are facing the same use case or better they already found an solution for this?

Thank you all in advance!

Best regards,