API tokens and Personal Access Tokens (PATs) let you authenticate to the integrator.io API from external applications, scripts, or services. Depending on your role, you can create one of two token types:
-
API tokens — available to account owners and administrators. Can be configured with full or custom resource access.
-
Personal Access Tokens (PATs) — available to all users, including those with manage or monitor roles. PATs can only access what your user account can access — no additional permissions can be granted.
Account owners and administrators can view and manage all API tokens in the account. They can also see PATs created by other users and revoke them, but cannot reveal PAT values. Users with manage or monitor roles can view and manage only their own PATs.
Go to Resources > API tokens to manage your tokens. The tokens table includes the following columns:
-
Name — the token name assigned at creation.
-
User — the owner of the token. Populated for PATs; blank for API tokens.
-
Scope — User for PATs; Full access or Custom for API tokens.
-
Status — Active or Revoked.
-
Last updated — the date the token was last modified.
Several options are available under Action:
-
Edit token
-
View audit log
-
Revoke token
-
Generate new token
To copy a token value, select Show token and select the copy button. Show token is only available to the token owner — administrators cannot reveal another user's PAT value.
To view token details — including expiration date, resource access, and token string — select the token name in the table.
API tokens give account owners and administrators full or custom access to account resources via the integrator.io API.
-
From the left nav, go to Resources > API tokens.
-
Select Generate token.
-
If you have an administrator role, select API Token as the token type.
-
Under General, enter a name and optional description for your token.
-
Select an Auto purge token interval.
-
Under Token permissions, select a scope:
-
Full access — the token can access all resources in the account.
-
Custom — select specific Connections, Exports, Imports, APIs, and MCP servers this token can access.
-
-
Select Save.
Note
Copy your token value and store it securely — it will not be shown again.
Personal Access Tokens (PATs) provide API access scoped to your own user permissions. They can be created by any user with a manage, monitor, or administrator role.
-
From the left nav, go to Resources > API tokens.
-
Select Generate token.
-
If you have an administrator role, select Personal Access Token as the token type.
-
Enter a name and optional description for your token.
-
Select a token expiration. PATs default to 90 days.
-
Select Save.
Note
Copy your token value and store it securely — it will not be shown again.
PATs inherit your user permissions. You cannot configure custom resource scopes for a PAT.
Celigo sends email notifications to account owners and administrators whenever an API token is created, accessed, modified, or revealed in plain text. You can review the audit logs to determine who took each action.
For Personal Access Tokens, the Show token action is restricted to the token owner. Revealing a PAT does not send a notification to administrators.
The actual token value is never revealed in any email notification.
If you suspect that your account password has been compromised, go to Account > Profile and select Edit next to Password to specify a new password.
API tokens and PATs expire at an interval you choose at creation. The token can be automatically purged:
-
Never
-
After 1 hour
-
After 4 hours
-
After 1 day
-
After 4 days
-
After 10 days
-
After 30 days
-
After 90 days
Personal Access Tokens default to 90 days. API tokens have no default purge interval.
-
Disabled user: The PAT remains active in the tokens table, but all API calls made using that token are blocked at the platform level. The token is not automatically revoked.
-
Deleted user: All PATs belonging to the deleted user are automatically revoked and removed from the tokens table.
Administrators can revoke another user's PAT from the tokens table. However, administrators cannot:
-
View (reveal) another user's PAT value
-
Reset or regenerate another user's PAT
PAT actions — including create, view, and revoke — are logged in the audit log under the API token resource type.
For standard API tokens, only account owners and administrators can view the token value in plain text. When an owner or administrator reveals an API token, an email notification is sent to all account owners and administrators.
For Personal Access Tokens, only the token owner can reveal the token value. Administrators cannot view another user's PAT in plain text and do not receive email notifications when a PAT owner reveals their own token.
Tokens are securely generated and are unique to each customer's account and token instance. The keys are safely secured in a database and are not stored in any code repository. The same security measures for storing credentials are used for API token encryption and safety.
Why can't API tokens use ENV variables or a secret management system where tokens are not exposed in plain text?
Only account owners or administrators can view tokens as needed for debugging purposes. API tokens have two classifications:
-
Account-level API tokens:
-
For custom integrations, users can perform Create, Read, Update, or Delete (CRUD) operations.
-
For integration apps, users can perform Read and Update operations, but tokens are restricted from creating or deleting integration app data.
-
Updates are also limited to specific fields that can only be configured from within the user interface.
-
-
Integration app-level API tokens:
-
Users can use these tokens to trigger exports and imports.
-
The main purpose of the tokens is to enable developers to debug or build features on integrator.io via the API (instead of through the user interface).
An alert is always triggered if an API token is viewed in plain text. Contact Celigo support if you don't receive a notification.
Is the API token protected behind a secure login or are these workflows available widely? If it is protected behind a login who are the people with access to this?
Users with owner, administrator, manage, or monitor roles can access the API tokens page. Owners and administrators can view all tokens in the account. Manage and monitor users can view only their own PATs.
Tokens have audit info like any other integrator.io resource.
To get a refresh token value in your response header, add the following handlebar statement to your request {{connection.rest.header.<token-name>}}.
When you create an access token for connections, exports, or imports, you can't perform create, read, update, or delete (CRUD) operations on those resources. Export scopes will provide access to invoke the exports, but will not allow CRUD operations on any export. Import scopes will provide access to invoke the imports, but will not allow CRUD operations on any import.
Connection scopes allow you to invoke virtual exports and imports for a given configured connection. For a full list of supported endpoints, see the integrator.io API documentation.