Application API Tokens can be used in the authentication header.
Application API tokens do not expire and exist independently of user records. Application API tokens have their own set of scopes, allowing you to follow the principle of least privilege. Application API tokens are the recommended way to authenticate backend systems.
While these tokens do not expire, they can be disabled and / or deleted. Application API tokens can be generated, enabled, disabled and deleted programmatically; allowing you to set up an automatic key rolling system.
We log the use of each application API token and provide the timestamp of its last use. A disabled token can be re-enabled, allowing you to ensure that there isn't a rogue process using a token you are unaware of (or, more accurately, letting you quickly re-enable a token should something break).
Security protection
User API tokens cannot be used to authenticate any requests related to application API tokens. Only a user session can be used to authenticate these API calls.