Skip to content

Personal Access Tokens Introduction

A Personal Access Token (PAT) is a secure credential that allows an individual user to authenticate with an API without using a password. PATs are a widely adopted standard in modern platforms for enabling programmatic access — whether through scripts, CLI tools, or third-party integrations.

Each token is tied to a specific user and inherits that user's permissions. When a PAT is used to make an API request, the platform treats it as if the user themselves were making the request.

Why Use Personal Access Tokens?

  • No passwords in code — PATs replace the need to embed usernames and passwords in scripts or automation. This reduces the risk of credential exposure.
  • Scoped to a user — Each token inherits the permissions of the user who created it, providing a clear audit trail of who performed which actions.
  • Revocable — If a token is compromised, it can be revoked immediately without changing the user's password or affecting other tokens.
  • Expiration — Tokens can be configured to expire after a set period, limiting the window of exposure if a token is leaked.
  • Multiple tokens — Users can create separate tokens for different purposes (e.g., one for CLI, one for CI/CD, one for testing), making it easy to manage and revoke access per use case.

PATs vs Service Tokens

Qualytics provides two types of tokens. Understanding the difference helps you choose the right one for your use case.

Aspect Personal Access Token Service Token
Created by Any user (self-service) Admin only
Tied to An individual user account A Service User
Use case Personal development, testing, CLI access Automation, pipelines, integrations
Permissions Inherits the user's own permissions Inherits the Service User's assigned role and teams
Visibility Only visible to the user who created it Visible to all Admins

Tip

For automation workflows that require long-lived credentials managed by administrators rather than individual users, see the Service Token Introduction documentation.

Deep Dive

Understand how Personal Tokens work under the hood — generation, authentication, expiration, lifecycle, and security.

  • How It Works

    Token generation, authentication flow, expiration, lifecycle, SCIM tokens, and security.

    How It Works

  • Permissions

    Roles required to generate, revoke, restore, and delete Personal Tokens.

    Permissions

  • Best Practices

    Token naming, storage, expiration strategy, rotation, and security.

    Best Practices

Managing

Create, monitor, revoke, restore, and delete your Personal Tokens.

  • Generate Token

    Create a new Personal Access Token for API authentication.

    Generate Token

  • Revoke Token

    Deactivate a token to immediately prevent API access.

    Revoke Token

  • Restore Token

    Reactivate a previously revoked token.

    Restore Token

  • Delete Token

    Permanently remove a revoked or expired token.

    Delete Token

  • List Columns

    Understand the Personal Tokens list columns: key icon, name, expiration, last used, and status.

    List Columns

API & FAQ

  • API

    Generate, list, update, and revoke Personal Tokens via the API.

    API

  • FAQ

    Token rotation, expiration behavior, revocation effects, multiple tokens, and troubleshooting.

    FAQ