Personal Token FAQ
Answers to common questions about Personal Access Tokens, including creation, expiration, lifecycle management, and security best practices.
General
What is a Personal Access Token?
A Personal Access Token (PAT) is a secure credential that allows you to authenticate with the Qualytics API without using a password. Each token is tied to your user account, inherits your permissions, and is managed entirely by you — no administrator involvement is needed.
What is the difference between a Personal Token and a Service Token?
Personal Tokens are tied to your individual user account and are self-service — any Member can create their own. Service Tokens are tied to Service Users (dedicated accounts for automation) and are managed exclusively by Admins. If you leave the organization, any automation using your Personal Token will break. For production workloads, use Service Tokens.
Can an Admin see my Personal Tokens?
No. Personal Tokens are private to each user. Admins cannot view, revoke, or delete another user's Personal Tokens through the UI or API. Only you can manage your own tokens.
How many tokens can I have?
There is no limit on the number of Personal Tokens. However, each token name must be unique per user — attempting to create a duplicate returns a 409 Conflict error.
Creation
What expiration options are available?
30 days, 60 days, 90 days, 1 year, or Never. Choosing a time-bound expiration is recommended — tokens that never expire create security risks if compromised.
Can I retrieve a token after it's been generated?
No. The token value is shown only once at creation time. Internally, the platform stores a one-way hash — the original value cannot be recovered. If you lose a token, you must generate a new one.
What is a SCIM Administration Token?
A SCIM token restricts API access to SCIM provisioning endpoints only (/scim/v2/*). It is used for directory sync and automated user provisioning. Only users with the Admin role can create SCIM tokens.
What happens if I create a token with a duplicate name?
The platform returns a 409 Conflict error. Choose a different name or delete the existing token first.
Expiration
What happens when a token expires?
The token automatically stops working. API requests using an expired token are rejected. You must generate a new token to regain access.
Can I restore an expired token?
The UI does not show the Restore option for expired tokens. However, expired tokens can technically be reactivated via the API by setting {"revoke": false}. Note that restoring an expired token does not extend its expiration date — the token remains expired and will not work for authentication. In practice, you should generate a new token instead.
Can I change the expiration of an existing token?
No. Expiration is set at creation time and cannot be modified. Generate a new token with the desired expiration, update your scripts, then revoke and delete the old one.
Revoking and Deleting
What happens when I revoke a token?
The token is deactivated immediately — there is no grace period. Any script, tool, or integration using the revoked token will lose API access instantly. You can restore a revoked token to reactivate it, or delete it permanently.
Can I restore a revoked token?
Yes. Revoked tokens can be restored to Active status, which reactivates API access. The UI hides the Restore option for expired tokens — in practice, generate a new token if the old one has expired.
Can I delete an active token?
No. You must revoke the token first, then delete it. Attempting to delete an active token returns a 400 Bad Request error.
Can I restore a deleted token?
No. Deletion is permanent and irreversible. Once a token is deleted, it cannot be recovered.
Can I rename a token?
No. Token names are set at creation time and cannot be modified.
Troubleshooting
My token stopped working — what happened?
There are three possible reasons: the token expired (check the expiration date on the token list), the token was revoked (status badge shows orange "Revoked"), or your user account was deactivated. Check the token's status badge and expiration on the Tokens page to diagnose the issue.
Where do I find my tokens in the interface?
Go to Settings (left sidebar) → Access Tokens. The Personal tab shows all your tokens with their status, expiration, and last used timestamp.
Usage
How do I use my token for API requests?
Include the token in the Authorization header of your request:
How can I tell if my token is being used?
Check the Last Used timestamp on the token list. It shows when the token was last used for an API request. Hovering over the timestamp shows the exact date and time in your local timezone.
Should I use a Personal Token for production automation?
No. Personal Tokens are tied to your user account — if you leave the organization or your account is deactivated, the automation breaks. For production pipelines and integrations, use Service Tokens.
Can I use the same token in the Qualytics CLI and in scripts?
Yes. A single token works anywhere that accepts Bearer authentication — the CLI, curl, Python scripts, CI/CD pipelines, etc. However, it is recommended to create separate tokens for each tool or environment so you can revoke access independently.
Can I use the same token across multiple environments?
It is not recommended. Create separate tokens for each environment (development, staging, production). This makes it easy to revoke access for a specific environment without affecting others.
Does my token have access to everything I have access to?
Yes. A Personal Token inherits your full permissions — same role, same team memberships. If your role changes (e.g., from Admin to Member), all your existing tokens immediately reflect the new permissions. There is no way to create a token with fewer permissions than your account.
What happens to my tokens if my role changes?
Your tokens continue to work, but they immediately reflect your new role. For example, if you are downgraded from Admin to Member, your tokens can no longer access Admin-only endpoints. No action is needed on the tokens themselves.
Integration Scenarios
Can I use my token in a Jupyter notebook?
Yes. Use the token in the Authorization header with the requests library. The token works for the full duration of your session — there is no idle timeout. If the token has an expiration date, make sure it covers the expected lifetime of your notebook workflow.
How do I store my token in CI/CD pipelines?
Store the token as a secret or environment variable in your CI/CD platform (e.g., GitHub Actions secrets, GitLab CI variables, Jenkins credentials). Never hardcode tokens in pipeline definitions or commit them to version control. Reference the variable in your scripts:
curl -H "Authorization: Bearer $QUALYTICS_TOKEN" \
https://your-instance.qualytics.io/api/datastores
Can I use the Qualytics CLI with a Personal Token?
Yes. The Qualytics CLI accepts a Personal Token for authentication. See the CLI Authentication documentation for setup instructions.
Does a long-running job keep the token alive?
No. Tokens do not have an idle timeout — they remain valid until their expiration date or until they are revoked. A job running for hours or days will continue to work as long as the token has not expired or been revoked during execution.
Security
What should I do if my token is compromised?
Revoke the token immediately, generate a new one, update your scripts and configurations, and review your recent API activity to check for unauthorized access.
What happens to my tokens if I leave the organization?
When your account is deactivated, all your Personal Tokens stop working immediately. This is why Personal Tokens should not be used for production automation — use Service Tokens instead, which are tied to Service Users that persist independently of any human user.
Can I manage Personal Tokens via API?
Yes. You can list, create, revoke, restore, and delete your own tokens programmatically. See the Personal Token API page for all endpoints and examples.