Skip to content

Service Token Permissions

This page covers the roles and permissions required to view and manage Service Tokens.

Workspace-Level Only

Token management is a global platform feature — it is not scoped to individual datastores or teams. Unlike datastore features that use two permission layers (User Roles + Team Permissions), token operations are controlled exclusively by User Roles. Team Permissions do not apply.

User Roles (Workspace-Level)

Only users with the Admin role can view and manage Service Tokens. All Service Token operations are administrator-controlled.

Action Member Manager Admin
See the Service tab in Access Tokens
View all Service Tokens
Generate Service Token
Revoke Service Token
Restore Service Token
Delete Service Token
Create SCIM Administration Token

UI Behavior Without Permission

Scenario What the User Sees
User has Member or Manager role The Service tab is hidden. The user cannot see or manage Service Tokens.
User has Admin role Both Personal and Service tabs are visible. The token form shows the Type selector (Personal/Service), Service User picker, Expiration, and SCIM Administration Token checkbox.

API Permissions

Endpoint Method Required Role Description
/user-tokens/service GET Admin List all Service Tokens across all Service Users.
/user-tokens POST Admin Create a Service Token (when user_id is provided).
/user-tokens/{id} PUT Admin Revoke or restore any Service Token.
/user-tokens/{id} DELETE Admin Delete any Service Token (must be revoked first).

Constraints

  • Token names must be unique per Service User — duplicate names return a conflict error (409).
  • Active tokens cannot be deleted — you must revoke a token before you can delete it.
  • Service Tokens can only be created for Service Users — attempting to assign a Service Token to a regular user account returns an error.
  • Internal users are blocked — system internal users cannot be targeted for token operations.

Personal Token Permissions

For permissions related to Personal Access Tokens (self-service, Member role), see the Personal Token Permissions page.

Full User Roles Reference

For the complete User Roles matrix across all Qualytics features, see the User Roles page.