Skip to content

Create an API token

POST
/api/api-tokens

Creates a new personal API token for the authenticated user. The full secret token is returned exactly once, in the plainToken field of the response - store it immediately, as it is hashed on the server and can never be retrieved again. The name must be unique among the user's tokens. Optionally scope the token to specific organizations via organizations (the requesting user must be a member of each); an empty list grants access to all organizations the user belongs to. This endpoint requires a full session/JWT login - it cannot be called while authenticating with an API token.

Authorizations

ApiToken

Long-lived API token created via POST /api/api-tokens (returned once in plaintext).

Type
API Key (header: X-API-TOKEN)
or
JWT

JWT access token obtained via POST /api/auth/login. Send as: Authorization: Bearer .

Type
HTTP (bearer)

Request Body

JSON
{
  
"name": "CI deployment token",
  
"expiresAt": "2027-06-30T00:00:00+00:00",
  
"organizations": [
  
  
[
  
  
  
"/api/organizations/12",
  
  
  
"/api/organizations/34"
  
  
]
  
]
}

Responses

api-token resource created

JSON
{
  
"@context": "string",
  
"@id": "string",
  
"@type": "string",
  
"id": "9b1deb4d-3b7d-4bad-9bdd-2b0d7b3dcb6d",
  
"name": "CI deployment token",
  
"plainToken": "smoxy_live_1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b",
  
"lastUsedAt": "2026-06-30T14:23:00+00:00",
  
"expiresAt": "2027-06-30T00:00:00+00:00",
  
"active": true,
  
"createdAt": "2026-06-30T09:00:00+00:00",
  
"organizations": [
  
  
[
  
  
  
"/api/organizations/12",
  
  
  
"/api/organizations/34"
  
  
]
  
]
}

Playground

Authorization
Body

Samples

Powered by VitePress OpenAPI