Secure your token
Store PATs safely and limit blast radius.
A Personal Access Token is a bearer credential. If another person or service gets it, they can use it until it expires or is revoked.
Store it safely
- Use a secrets manager or deployment environment variable.
- Do not paste tokens into source code.
- Do not commit tokens to Git.
- Do not send tokens in chat, screenshots, or support tickets.
Reduce risk
- Choose the narrowest scopes.
- Use shorter expiry for experiments.
- Create separate tokens per app or environment.
- Revoke tokens that are unused or no longer needed.
If a token leaks
Revoke immediately
Open Settings → API Tokens and revoke the exposed token.Rotate downstream config
Remove the old value from any deployment, secret store, or local environment.
Create a replacement
Use only the scopes the client truly needs.
Revoke a token
Revoking a token is immediate and cannot be undone.
Revoke flow
Open API Tokens
Go to Settings → API Tokens.Find the token
Use the name, prefix, workspace, expiry, and last-used columns to identify it.Click Revoke
Confirm the warning. External clients using the token stop working immediately.
When to revoke
- The token leaked.
- The external client was decommissioned.
- You need different scopes.
- A teammate or vendor no longer needs access.
- The token belongs to the wrong workspace context.
After revoking
If the automation still needs access, create a new token and update the external client configuration.
Team tokens
When you create a token inside a Team workspace, the token is bound to that team context. Keep team tokens separate from personal automation.