1
IATs vs PATs
Concept

System-issued tokens for service accounts

Issuer Access Tokens (IATs) are machine-identity tokens issued on behalf of service accounts rather than individual users. While a PAT carries your personal identity, an IAT references a service account identity and includes iss (issuer) and aud (audience) claims in the JWT payload, making them suitable for strict machine-to-machine (M2M) authentication flows where the receiving service validates the issuer and audience explicitly.

AttributePATIAT
Issued toA logged-in userA service account identity
JWT claimsUser sub, scopesService account sub, iss, aud, scopes
Use casePersonal tooling, CI/CDMachine-to-machine, daemon processes
Tied to a personYes β€” revokes if user is disabledNo β€” independent of any user account
RotationRevoke + generate newRotate (overlap window) or revoke
2
Open the IATs tab
Navigation

Navigate to /idp/token-studio/iats

In Token Studio, click the IATs tab. The list shows all Issuer Access Tokens registered in the system, regardless of which service account they belong to.

Token Studio β€” IATs /idp/token-studio/iats
Issuer Access Tokens
+ Create IAT
Token NameService AccountIssuerAudienceScopesExpiryStatusActions
payments-service-iat svc-payments idp.company.com payments.api.internal write 2026-12-31 Active
Rotate Revoke
audit-reader-iat svc-audit idp.company.com audit.api.internal read No expiry Active
Rotate Revoke
ColumnDescription
Token NameHuman-readable name for this IAT definition
Service AccountThe service account identity this token represents
IssuerThe iss claim in the JWT β€” typically your EmpowerNow IdP URL
AudienceThe aud claim β€” the URL or identifier of the target service
ScopesOperations this token is authorised for
ExpiryToken expiry date or "No expiry"
StatusActive, Expired, or Revoked
3
Create an IAT
Creation form

Click "+ Create IAT" and configure the token

Click + Create IAT. Fill in all required fields. The Issuer and Audience values will be embedded as claims in the signed JWT and are validated by the receiving service on every request.

ℹ️
Issuer and audience are validated on each request

The receiving service must be configured to trust this issuer URL and accept the audience value. Mismatches result in 401 Unauthorized errors. Coordinate with the team owning the target service before creating the IAT.

4
Rotate an IAT
Rotation with overlap

Generate a new signing key with an overlap window

Click Rotate on an IAT row. Unlike revocation, rotation does not immediately invalidate the existing token. Instead, a new signing key is generated and a configurable overlap window is opened during which both the old and new token values are accepted by the system. This gives downstream systems time to update their stored token value before the old one is retired.

After rotation

Copy the new token and update downstream systems

After confirming rotation, the new token value is displayed once in a success modal β€” copy it immediately using the same procedure as for PATs. Then update every system, CI/CD pipeline, and secrets manager entry that references the old token. The old token is automatically revoked at the end of the overlap window.

πŸ’‘
Inventory dependent systems before rotating

Before rotating, check which systems are configured with this IAT. An incomplete update will cause service disruptions when the overlap window closes. Maintain an inventory of IAT usage in your infrastructure documentation.

5
Revoke an IAT
Immediate revocation

Instantly invalidate an IAT

Click Revoke on an IAT row. Unlike rotation, revocation is immediate with no overlap window. Any downstream system using this IAT will receive a 401 Unauthorized error on its very next request.

🚨
Revocation causes immediate service disruption

Identify and notify the teams responsible for every system using this IAT before revoking. Use revocation only for security incidents where the token may be compromised. For planned replacements, use rotation instead.

When to revoke

Security incident scenarios

ScenarioActionNotes
Token value may be compromisedRevoke immediatelyAccept the service disruption β€” security takes priority
Service account is being decommissionedRevoke all IATs for the service accountEnsure no active systems still depend on the tokens
Token approaching expiryRotate (not revoke)Use the overlap window to update downstream systems gracefully
Planned key rotation (compliance)Rotate with overlapSchedule during a low-traffic window and monitor for errors