Personal Token Permissions
This page covers the roles and permissions required to view and manage Personal Access Tokens.
Workspace-Level Only
Token management is a global platform feature — it is not scoped to individual datastores or teams. Unlike datastore features that use two permission layers (User Roles + Team Permissions), token operations are controlled exclusively by User Roles. Team Permissions do not apply.
User Roles (Workspace-Level)
Any authenticated user with at least the Member role can manage their own Personal Access Tokens. Each user can only see and manage their own tokens — there is no cross-user visibility for Personal Tokens.
| Action | Member | Manager | Admin |
|---|---|---|---|
| Access the Tokens page | |||
| View own Personal Tokens | |||
| Generate Personal Token | |||
| Revoke own Personal Token | |||
| Restore own Personal Token | |||
| Delete own Personal Token | |||
| Create SCIM Administration Token |
UI Behavior Without Permission
| Scenario | What the User Sees |
|---|---|
| User has Member or Manager role | Can access the Tokens page and see the Personal tab. Can generate, revoke, restore, and delete their own tokens. The token form shows Name and Expiration fields only. The SCIM option and Type selector are hidden. |
| User has Admin role | Same as Member/Manager, plus the token form shows the Type selector (Personal/Service) and the SCIM Administration Token checkbox. |
API Permissions
| Endpoint | Method | Required Role | Description |
|---|---|---|---|
/user-tokens |
GET | Member | List your own Personal Tokens. |
/user-tokens |
POST | Member | Create a Personal Token (for yourself). |
/user-tokens/{id} |
PUT | Member | Revoke or restore your own Personal Token. |
/user-tokens/{id} |
DELETE | Member | Delete your own Personal Token (must be revoked first). |
Constraints
- Token names must be unique per user — duplicate names return a conflict error (409).
- Active tokens cannot be deleted — you must revoke a token before you can delete it.
- Internal users are blocked — system internal users cannot create or manage tokens.
Service Token Permissions
For permissions related to Service Tokens (Admin-only), see the Service Token Permissions page.
Full User Roles Reference
For the complete User Roles matrix across all Qualytics features, see the User Roles page.