Personal Access Tokens (PAT)
User-issued bearer tokens for programmatic API access. Scoped to specific operations (read / write / admin). Used in CI/CD pipelines, scripts, and Postman collections. Token value shown once at creation.
Issuer Access Tokens (IAT)
System-issued tokens bound to service accounts rather than individual users. Carry iss and aud claims for strict machine-to-machine authentication. Support rotation with an overlap window for zero-downtime key changes.
| Path | Screen |
|---|---|
| /idp/token-studio | Token Studio — PATs tab (default view, lists your personal access tokens) |
| /idp/token-studio/iats | IATs tab — lists all Issuer Access Tokens across all service accounts |
Personal Access Tokens (PATs)
Generate, name, set expiry, and revoke PATs for API access without interactive login. Covers scope selection, the one-time token copy flow, expiry warnings, and rotation best practices.
Issuer Access Tokens (IATs)
Create system-issued tokens scoped to service accounts. Covers IAT vs PAT differences, creation form, rotation with overlap window, and emergency revocation.