• HOME
  • INTEGRATIONS
  • SDKS
  • GUIDES
  • API DOCS
No results for ""
EXPAND ALL
CLOSE
launchdarkly.com

EDIT ON GITHUB

Personal API access tokens

Read time: 2 minutes
Last edited: Apr 27, 2020

Overview

This topic explains how to use personal API access tokens to authenticate with the LaunchDarkly REST API, as well as constraints and suggestions for implementing them.

Personal API access tokens are private
Only you can see the tokens you create; other team members cannot see them. Administrators can delete your tokens, but cannot see their values.

Scoping personal API access tokens

You can scope your personal API tokens to restrict the set of operations they can perform. For example, you can build an integration that only has read access to the REST API.

The available scoping options are:

  • Built-in roles: Gives a token the same permissions as a reader, writer, or admin.
  • Custom roles: Gives a token the same permissions as one of your team's existing custom roles. This option is only available if your LaunchDarkly plan includes custom roles.
  • In-line custom roles: Gives a token a custom set of permissions in-line, rather than specifying it as an existing custom role. This option is only available if your LaunchDarkly plan includes custom roles.
Never share a personal API access token
Personal API access tokens are unique to the person who creates them. If you share your access token with others, they may be able to use it to impersonate you, or perform actions with it that could later be attributed to you erroneously.

Understanding personal API access tokens' permissions

When you create a new token, it has the same permissions that you do. Your tokens can never do more than you can in LaunchDarkly.

Personal API access tokens and the principle of least privilege

As a best practice, we recommend giving your tokens the smallest scope required for your integration. For example, if your integration is not designed to modify your Production environment, use a custom role or inline policy to restrict access appropriately.

If your own permissions are ever reduced, tokens you have created have reduced scope as well.

For example, if you are a Writer and create a Writer token, but then are downgraded to a Reader, your Writer token will behave like a Reader token.

Creating personal API access tokens

You can create a personal API access token from the Account settings page.

Save new tokens immediately
Your API access token is visible one time, immediately after you create it. If you leave or refresh the page where the token is displayed, it will be obscured and no longer visible. You must copy and store new access tokens somewhere secure before you leave the creation page, or you will lost access to the token.

The Access tokens page with an obscured access token called out.
The Access tokens page with an obscured access token called out.

To create a personal access token:

  1. Navigate to the Account settings page.
  2. Click into the Access tokens tab.
  3. Click + token. The Create an access token screen appears.

The Create an access token screen.
The Create an access token screen.

  1. Give your token a human-readable Name.
  2. Assign a Role to the token by choosing one from the dropdown.
  3. Click Save Token. The new token appears in the Access tokens page.
  4. Copy and save the token somewhere secure. After you leave this page, the token will be obscured.

A new access token with a reminder to copy and store it displayed.
A new access token with a reminder to copy and store it displayed.

After you create a token, you can Clone or Delete it from the "Access tokens" screen.

  • Clone: Clones the access token. This allows you to create multiple access tokens with the same set of permissions, rather than having to fill out each token's information in the "Create an access token" screen.
  • Delete: Deletes the access token. If you delete a token, API calls made with that token return 401 Unauthorized status codes.

A new access token with the Clone and Delete buttons called out.
A new access token with the Clone and Delete buttons called out.

You can also manage existing tokens from the Authorizations tab. From that tab, you can change the scope of your tokens or delete them.

Rotate your tokens regularly
As a best practice, we recommend rotating your tokens regularly to prevent tokens from becoming outdated, such as when team members leave. If you remove a team member from your account, their personal API access tokens become invalid. We recommend updating integrations to use new access tokens before removing team members.

Restricting who can create and manage personal API access tokens

By default, all team members can create access tokens limited to their existing permissions. Team members with reader level permissions can only create tokens with reader permissions, whereas admins and owners can create tokens with any permission level.

You can restrict team members from creating or managing access tokens with custom roles.

To learn more, read Actions in custom roles.