Skip to content

Personal Token Best Practices

Follow these guidelines to keep your Personal Access Tokens secure and well-managed.

Token Storage

  • Use a password manager or encrypted vault to store tokens.
  • Load tokens through environment variables in scripts and automation.
  • Encrypt tokens at rest.
  • Commit tokens to Git or any version control system.
  • Store tokens in plain or unencrypted text files.
  • Share tokens through email, chat, or other unsecure channels.
  • Reuse the same token across multiple environments.

Token Naming

Use descriptive names that indicate the token's purpose. This makes it easier to identify and manage multiple tokens.

  • cli-dev — For Qualytics CLI during development.
  • ci-pipeline-staging — For CI/CD pipeline in the staging environment.
  • notebook-exploration — For ad-hoc API exploration in a Jupyter notebook.
  • test — Not descriptive enough.
  • token1 — Too generic.
  • my-token — Unclear purpose.

Note

Token names must be unique per user. Duplicate names return a conflict error.

Token Expiration Strategy

Choose expiration periods based on your use case:

Use Case Recommended Expiration Notes
Development / testing 30, 60, or 90 days Short lifespan aligns with active development cycles.
CLI access 90 days Balance between convenience and security.
CI/CD pipelines 90 days or 1 Year Longer lifespan for stable automation, with rotation before expiry.
One-time scripts 30 days Generate, use, then let it expire.

Warning

Avoid using the Never expiration option. Tokens that never expire create security risks if compromised.

One Token Per Purpose

Create separate tokens for different tools, scripts, or environments:

  • One for the Qualytics CLI.
  • One for your CI/CD pipeline.
  • One for notebook exploration.

This makes it easy to revoke access for a specific use case without affecting others.

Token Rotation

When a token is approaching expiration:

  1. Generate a new token with a descriptive name (e.g., cli-dev-2026).
  2. Update your scripts, environment variables, or secrets manager with the new token.
  3. Verify that everything works with the new token.
  4. Revoke the old token.
  5. Delete the revoked token.

Revoke Compromised Tokens Immediately

If you suspect a token has been exposed:

  1. Revoke the token immediately using the Revoke Token action.
  2. Generate a new token.
  3. Update your scripts and configurations with the new token.
  4. Review your recent API activity to check for unauthorized access.

Warning

Revoked tokens stop working instantly. Any script or tool using the revoked token will immediately lose API access.

When to Use Personal Tokens vs Service Tokens

Scenario Use
Personal development and testing Personal Token
Ad-hoc API exploration Personal Token
Qualytics CLI access Personal Token
Production pipelines and automation Service Token
Data catalog integrations Service Token
Shared automation across teams Service Token

Tip

Personal Tokens are tied to your user account. If you leave the organization, any automation using your Personal Token will break. For production workloads, always use Service Tokens.