1
What Personal Access Tokens are
Overview

API access without interactive login

A Personal Access Token (PAT) is a long-lived, user-issued token that grants programmatic access to the EmpowerNow API on your behalf. Unlike a session cookie obtained from a browser login, a PAT is self-contained and can be embedded in automation tooling, CI/CD pipelines, scripts, and Postman collections.

AttributeValue
Token formatOpaque bearer token β€” passed in the Authorization: Bearer <token> header
IssuerYou (the logged-in user). The PAT acts as your identity.
ScopeRestricted to the scopes you select at generation time
ExpiryConfigurable: 7d, 30d, 90d, 1 year, or no expiry
VisibilityToken value shown once at creation β€” never displayed again
ℹ️
PAT vs. IAT

PATs are user-issued and carry your personal identity. Issuer Access Tokens (IATs) are system-issued and scoped to service accounts. Use PATs for personal tooling; use IATs for machine-to-machine integrations that should not be tied to a person.

2
Open Token Studio
Navigation

Navigate to /idp/token-studio

Go to Administration β†’ Token Studio. The PATs tab is selected by default. The list shows all tokens you have generated, with their current status, last-used timestamp, and remaining lifetime.

Token Studio β€” PATs /idp/token-studio
Total PATs
4
Active
3
Expired / Revoked
1
Personal Access Tokens
+ Generate Token
Token NameScopesCreatedExpiresLast UsedStatusActions
ci-pipeline-prod write 2026-03-01 2026-06-01 Today 02:14 Active Revoke
postman-readonly read 2026-04-10 2026-07-10 Yesterday Active Revoke
old-script read 2025-12-01 2026-03-01 2026-03-01 Expired β€”
3
Generate a PAT
Generation form

Click "+ Generate Token" and fill in the form

Click + Generate Token. A modal opens with the token configuration form. Fill in all required fields before clicking Generate.

FieldRequiredNotes
Token nameβ˜… YesHuman-readable label. Use the use-case, e.g. ci-pipeline-prod
Scopesβ˜… YesSelect minimum needed. Never select admin for read-only tools.
Expiryβ˜… YesSet an expiry whenever possible. "No expiry" is high risk.
πŸ’‘
Principle of least privilege

Only select the scopes your tool actually needs. A Postman collection that only reads data needs read only β€” not write or admin.

4
Copy the token value
One-time display

Copy the token immediately β€” it will never be shown again

After clicking Generate, the modal transitions to a success screen showing the full token value. This is the only time the token value will ever be displayed. If you close this modal without copying, you must revoke the token and generate a new one.

🚨
Store in a secrets manager immediately

Paste the token into your secrets manager (e.g. HashiCorp Vault, AWS Secrets Manager, 1Password) before closing this modal. Never store tokens in code, environment files committed to source control, or plain text documents.

5
Expiry warnings & revocation
Status indicators

Identify expiring and expired tokens

The PAT list uses visual indicators to surface tokens that need attention. An amber ⚠️ warning icon appears beside any token expiring within 7 days. Expired tokens are shown with a red Expired status badge and are no longer valid for API calls.

Token expiry warnings
Token NameExpiresStatusActions
⚠️ deploy-staging In 5 days (2026-05-05) Expiring soon Revoke
ci-pipeline-prod 2026-07-30 Active Revoke
Rotation & revocation

Revoke a token and rotate

To immediately invalidate a token, click Revoke on its row. Revocation is instant β€” any API call using the token will receive a 401 Unauthorized response. Revoked tokens cannot be restored.

When rotating a token (e.g. approaching expiry), follow this order: (1) generate a new token, (2) update your script or CI/CD secret store with the new token value, (3) verify the new token works, (4) revoke the old token.

πŸ’‘
Rotate before expiry, not after

Begin the rotation process at least 48 hours before a token expires. Waiting until after expiry causes pipeline failures with no overlap window.

6
Use case reference
When to use which scope

Common PAT scenarios

Select scopes based on what your integration actually does. The table below covers the most common use cases and their recommended configurations.

Use caseRecommended scopeExpiryNotes
CI/CD pipeline deploymentswrite90 daysStore token as a CI/CD secret variable. Rotate on a schedule.
Postman collections (read-only)read30 daysUse for API exploration. Never grant write to Postman unless required.
Admin automation scriptsadmin7 daysShort expiry is critical for admin-scoped tokens. Run script, then revoke.
Monitoring / health-check agentsread1 yearLong expiry acceptable for read-only monitoring. Store securely in secrets manager.
🚫
Never commit tokens to source control

A PAT committed to a git repository β€” even a private one β€” should be treated as compromised. Revoke it immediately and generate a replacement. Use CI/CD secret variables or a secrets manager to inject tokens at runtime.