Overview
Navigate to Settings → API Tokens to create and manage API keys for your organization. Each token grants scoped, programmatic access to your data without sharing your admin credentials.Creating an API Token
- Click Create Token
- Fill in the token details:
- Name — A label to identify where this token is used (e.g. “Website Integration”)
- Description — Optional note on what the token is used for
- Scopes — Select the resources and permission level (Read or Write) for each
- Expires — Set an expiry date or leave empty for a token that never expires
- Click Save
- Copy the token immediately — it will not be shown again after you close the dialog
Token scopes
Each token is granted access to specific resources with either Read or Write permission:- Read — Allows fetching data (GET requests)
- Write — Allows creating and updating data (POST/PUT/PATCH requests)
Token expiry
| Option | Use when |
|---|---|
| 1 hour / 6 hours / 1 day | Short-lived scripts or one-time operations |
| 1 week / 2 weeks / 1 month | Temporary integrations or testing |
| No expiry | Long-running integrations that you actively manage |
Revoking a token
- Find the token in the list
- Click Revoke Token
- Confirm the action
Access and permissions
Creating and revoking API tokens requires the settings.manage.organization permission. This means only admins and users with full settings management can access this page — managers and other roles cannot create or view API tokens.Security best practices
- Give tokens descriptive names so you know what each one is for
- Use the minimum required scopes — do not grant write access if only read is needed
- Set an expiry for tokens used in short-term scripts or testing
- Revoke unused tokens — regularly audit the token list and remove tokens that are no longer in use
- Never share tokens in source code, emails, or public channels
Related
- Integrations — Connect third-party services like Stripe and Google.
- Public API — API reference documentation.