Skip to main content

API Tokens

API tokens provide secure, programmatic access to your organization's resources. Tokens are scoped to your organization and can be used to authenticate API requests without user credentials.

Current Capabilities

API tokens currently support:

  • SCIM Provisioning – Automate user and group management from your identity provider (Okta, Azure AD, etc.)
Future Support

Additional API endpoints will be supported with API tokens in future releases.

Generating a Token

  1. Navigate to Admin Settings in your organization
  2. Find the API Tokens section
  3. Click Generate Token
  4. Enter a descriptive name (e.g., "Okta SCIM Integration")
  5. Click Generate
  6. Copy your token immediately – it will not be shown again
Security Notice

The token is displayed only once after generation. Store it securely. If you lose the token, you'll need to generate a new one.

Using the Token

Include the token in the Authorization header of your API requests:

curl -H "Authorization: Bearer wxt_xxxxx" \
  https://your-domain.example.com/scim/v2/Users

Token Format

Tokens are prefixed with wxt_ followed by a cryptographically random string:

wxt_aBcDeFgHiJkLmNoPqRsTuVwXyZ1234567890abc

Security

  • Hashed Storage – Tokens are hashed before being stored. The plain token is never persisted.
  • Organization Scoped – Each token is tied to a specific organization.
  • Usage Tracking – The system tracks when each token was last used.
  • Revocable – Tokens can be revoked instantly from the Admin Settings.

Revoking a Token

  1. Navigate to Admin Settings
  2. Find the token in the API Tokens list
  3. Click the trash icon next to the token
  4. Confirm the revocation

Revoking a token immediately invalidates it. Any integrations using that token will stop working.

Best Practices

  • Use descriptive names – Name tokens after their purpose (e.g., "Okta SCIM", "Azure AD Sync")
  • Rotate tokens periodically – Generate new tokens and revoke old ones on a regular schedule
  • Use separate tokens – Create different tokens for different integrations
  • Monitor usage – Check the "Last used" timestamp to identify unused tokens
  • Revoke unused tokens – Remove tokens that are no longer needed

On-Premises Deployments

For on-premises deployments, you can alternatively use the AUTH_SECRET environment variable for SCIM authentication. This provides backward compatibility for simpler setups that don't require multiple tokens.

See SCIM Provisioning for more details on configuring SCIM endpoints.