Articles in this section

Managing API tokens

API tokens and Personal Access Tokens (PATs) let you authenticate to the integrator.io API from external applications, scripts, or services. Depending on your role, you can create one of two token types:

  • API tokens — available to account owners and administrators. Can be configured with full or custom resource access.

  • Personal Access Tokens (PATs) — available to all users, including those with manage or monitor roles. PATs can only access what your user account can access — no additional permissions can be granted.

Account owners and administrators can view and manage all API tokens in the account. They can also see PATs created by other users and revoke them, but cannot reveal PAT values. Users with manage or monitor roles can view and manage only their own PATs.

Manage API tokens and Personal Access Tokens

Go to Resources > API tokens to manage your tokens. The tokens table includes the following columns:

  • Name — the token name assigned at creation.

  • User — the owner of the token. Populated for PATs; blank for API tokens.

  • ScopeUser for PATs; Full access or Custom for API tokens.

  • StatusActive or Revoked.

  • Last updated — the date the token was last modified.

Several options are available under Action:

  • Edit token

  • View audit log

  • Revoke token

  • Generate new token

To copy a token value, select Show token and select the copy button. Show token is only available to the token owner — administrators cannot reveal another user's PAT value.

To view token details — including expiration date, resource access, and token string — select the token name in the table.

Create an API token

API tokens give account owners and administrators full or custom access to account resources via the integrator.io API.

  1. From the left nav, go to Resources > API tokens.

  2. Select Generate token.

  3. If you have an administrator role, select API Token as the token type.

  4. Under General, enter a name and optional description for your token.

  5. Select an Auto purge token interval.

  6. Under Token permissions, select a scope:

    • Full access — the token can access all resources in the account.

    • Custom — select specific Connections, Exports, Imports, APIs, and MCP servers this token can access.

  7. Select Save.

Note

Copy your token value and store it securely — it will not be shown again.

Create a Personal Access Token

Personal Access Tokens (PATs) provide API access scoped to your own user permissions. They can be created by any user with a manage, monitor, or administrator role.

  1. From the left nav, go to Resources > API tokens.

  2. Select Generate token.

  3. If you have an administrator role, select Personal Access Token as the token type.

  4. Enter a name and optional description for your token.

  5. Select a token expiration. PATs default to 90 days.

  6. Select Save.

Note

Copy your token value and store it securely — it will not be shown again.

PATs inherit your user permissions. You cannot configure custom resource scopes for a PAT.

Frequently asked questions

Why am I getting token email notifications?

Celigo sends email notifications to account owners and administrators whenever an API token is created, accessed, modified, or revealed in plain text. You can review the audit logs to determine who took each action.

For Personal Access Tokens, the Show token action is restricted to the token owner. Revealing a PAT does not send a notification to administrators.

The actual token value is never revealed in any email notification.

If you suspect that your account password has been compromised, go to Account > Profile and select Edit next to Password to specify a new password.

How often does a token expire?

API tokens and PATs expire at an interval you choose at creation. The token can be automatically purged:

  • Never

  • After 1 hour

  • After 4 hours

  • After 1 day

  • After 4 days

  • After 10 days

  • After 30 days

  • After 90 days

Personal Access Tokens default to 90 days. API tokens have no default purge interval.

What happens to a PAT when a user is disabled or deleted?

  • Disabled user: The PAT remains active in the tokens table, but all API calls made using that token are blocked at the platform level. The token is not automatically revoked.

  • Deleted user: All PATs belonging to the deleted user are automatically revoked and removed from the tokens table.

Can administrators manage other users' Personal Access Tokens (PATs)?

Administrators can revoke another user's PAT from the tokens table. However, administrators cannot:

  • View (reveal) another user's PAT value

  • Reset or regenerate another user's PAT

PAT actions — including create, view, and revoke — are logged in the audit log under the API token resource type.

Why is the API token value in plain text?

For standard API tokens, only account owners and administrators can view the token value in plain text. When an owner or administrator reveals an API token, an email notification is sent to all account owners and administrators.

For Personal Access Tokens, only the token owner can reveal the token value. Administrators cannot view another user's PAT in plain text and do not receive email notifications when a PAT owner reveals their own token.

Is the API token committed to any source code repository?

Tokens are securely generated and are unique to each customer's account and token instance. The keys are safely secured in a database and are not stored in any code repository. The same security measures for storing credentials are used for API token encryption and safety.

Why can't API tokens use ENV variables or a secret management system where tokens are not exposed in plain text?

Only account owners or administrators can view tokens as needed for debugging purposes. API tokens have two classifications:

  • Account-level API tokens:

    • For custom integrations, users can perform Create, Read, Update, or Delete (CRUD) operations.

    • For integration apps, users can perform Read and Update operations, but tokens are restricted from creating or deleting integration app data.

    • Updates are also limited to specific fields that can only be configured from within the user interface.

  • Integration app-level API tokens:

    • Users can use these tokens to trigger exports and imports.

Why does the API token require full access and not read only?

The main purpose of the tokens is to enable developers to debug or build features on integrator.io via the API (instead of through the user interface).

Why did we not get this alert in the test environment and only in the production environment?

An alert is always triggered if an API token is viewed in plain text. Contact Celigo support if you don't receive a notification.

Is the API token protected behind a secure login or are these workflows available widely? If it is protected behind a login who are the people with access to this?

Users with owner, administrator, manage, or monitor roles can access the API tokens page. Owners and administrators can view all tokens in the account. Manage and monitor users can view only their own PATs.

Do we have any audit mechanism to who is logging in to the accounts that have access to the key?

Tokens have audit info like any other integrator.io resource.

How do I get a token value in the response header?

To get a refresh token value in your response header, add the following handlebar statement to your request {{connection.rest.header.<token-name>}}.

Can I perform CRUD operations with API tokens that have custom scopes?

When you create an access token for connections, exports, or imports, you can't perform create, read, update, or delete (CRUD) operations on those resources. Export scopes will provide access to invoke the exports, but will not allow CRUD operations on any export. Import scopes will provide access to invoke the imports, but will not allow CRUD operations on any import.

Connection scopes allow you to invoke virtual exports and imports for a given configured connection. For a full list of supported endpoints, see the integrator.io API documentation.