Application API Tokens can be used in the authentication header.
Application API tokens do not expire and exist independently of user records. Application API tokens have their own set of scopes, allowing you to follow the principle of least privilege. Application API tokens are the recommended way to authenticate backend systems.
While these tokens do not expire, they can be disabled and / or deleted. Application API tokens can be generated, enabled, disabled and deleted programmatically; allowing you to set up an automatic key rolling system.
We log the use of each application API token and provide the timestamp of its last use. A disabled token can be re-enabled, allowing you to ensure that there isn't a rogue process using a token you are unaware of (or, more accurately, letting you quickly re-enable a token should something break).
Security protection
User API tokens cannot be used to authenticate any requests related to application API tokens. Only a user session can be used to authenticate these API calls.
Attributes:
| Name | Type | Description |
|---|---|---|
| id | string | V7 UUID generated when the API token is created. |
| name | string | A human-readable name for the API token. |
| application_id | string | The id of the underlying application record. |
| scopes | array | Array of Scopes assigned to this token. |
| enabled | boolean | If this API token is enabled. Disabled tokens will fail authentication, but can be re-enabled. |
| last_used_at | integer | Unix timestamp of when the token was last used in an API call (in seconds since the Unix epoch). |