API tokens

Create, scope, rotate, and revoke API tokens for programmatic access.

API tokens

Tokens authenticate API calls and should be managed with the same care as passwords.

Creating tokens

• Owners can create tokens from the dashboard or API.
• Tokens are stored hashed; the plaintext is shown once on creation.

Rotation and revocation

• Rotate regularly and when someone leaves the team.
• Revocation writes to the audit log so you can prove who made the change.

await writeAuditLog({
  orgId: ctx.org.id,
  actorUserId: ctx.user.id,
  targetType: 'api_token',
  targetId: token.id,
  action: 'api_token.revoked',
  requestId,
});

Usage tips

• Use different tokens per environment.
• Keep tokens out of client-side code; call the API from trusted backends.
• Pair tokens with webhooks to automate downstream flows.